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of RAM in 1U 





KEY FEATURES 
IXR-22X4IB iIXR-1204+10G 
- Dual Intel® Xeon® Processors E5-2600 Family per node - Dual Intel® Xeon® Processors E5-2600 Family 
- Intel® C600 series chipset « Intel® C600 series chipset 
- Four server nodes in 2U of rack space ¢ Intel® X540 Dual-Port 10 Gigabit Ethernet Controllers 
« Up to 256GB main memory per server node - Up to 16 Cores and 32 process threads 
« One Mellanox® ConnectX QDR 40Gbp/s Infiniband w/QSFP « Up to 768GB main memory 
Connector per node « Four SAS/SATA drive bays 
- 12 SAS/SATA drive bays, 3 per node ¢ Onboard SATA RAID 0, 1, 5, and 10 
« Hardware RAID via LSI2108 controller - 700W high-efficiency redundant power supply with 
« Shared 1620W redundant high-efficiency Platinum FC and PMBus (80%+ Gold Certified) 


level (91%+) power supplies 


Call iXsystems toll free or visit our website today! 1-855-GREP-4-IX | www.iXsystems.com 








High-Density iXsystems Servers powered by the 
Intel® Xeon® Processor E5-2600 Family and Intel® 
C600 series chipset can pack up to 768GB of RAM 
into 1U of rack space or up to 8 processors - with 
up to 128 threads - in 2U. 


On-board 10 Gigabit Ethernet and Infiniband for Greater 
Throughput in less Rack Space. 


Servers from iXsystems based on the Intel® Xeon® Processor E5-2600 
Family feature high-throughput connections on the motherboard, saving 
critical expansion space. The Intel® C600 Series chipset supports up to 
384GB of RAM per processor, allowing performance in a single server to 
reach new heights. This ensures that you're not paying for more than you 
need to achieve the performance you want. 


The iXR-1204 +10G features dual onboard 10GigE + dual onboard 
1GigE network controllers, up to 768GB of RAM and dual Intel® Xeon® 
Processors E5-2600 Family, freeing up critical expansion card space for 
application-specific hardware. The uncompromised performance and 
flexibility of the iXR-1204 +10G makes it suitable for clustering, high-traffic 
webservers, virtualization, and cloud computing applications - anywhere 
you need the most resources available. 


For even greater performance density, the iXR-22X4IB squeezes four 
server nodes into two units of rack space, each with dual Intel® Xeon® 
Processors E5-2600 Family, up to 256GB of RAM, and an on-board Mellanox® 
ConnectX QDR 40Gbp/s Infiniband w/QSFP Connector. The iXR-22X4 IB is 
perfect for high-powered computing, virtualization, or business intelligence 
applications that require the computing power of the Intel® Xeon® Processor 
E5-2600 Family and the high throughput of Infiniband. 





Intel, the Intel logo, and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the U.S. and other countries. 
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SECURITY 


Dear BSD Readers, 


his January issue of BSD is devoted to Unix Security. /t is the 
beginning of the year so we think that all of us have made some 
New Year resolutions. | think that all of us want to be happy and feel 
secure and that is why we created this issue devoted to Unix Security. 

Inside this BSD issue, we collected the articles written by experts in 
that field to provide you with best-quality knowledge. Enjoy your reading 
and develop with our Magazine! 

Inside this BSD issue, we publish the 3 articles by Mark Sitkowski. 
If you want to find out more on Unix security, you should read them 
all. We would like to highlight this one on Dynamic Memory Allocation 
in Unix Systems. 

Also, we recommend that you read Phillip’s article that will teach you 
how to use the Mac OS X hackers toolbox. This article can be extremely 
useful for all Mac users who aspire to be good security experts. 

Of course, please do not forget to read the 3rd part of Arkadiusz’s 
article on Virtual Private Networks supported by OpenSSH. And for 
dessert, please go to see what Rob wrote for you this time. We really 
like his column and are waiting for the next month eagerly. 

However, as long as we have our precious readers, we have a 
purpose. We owe you a huge THANK YOU. Everything we do, we do 
with you on our minds. We are grateful for every comment and opinion, 
either positive or negative. Every word from you lets us improve BSD 
magazine and brings us closer to the ideal shape of our publication, 
or, we Should say — your publication. 

Thank you BSD fans for your invaluable support and contribution. 


Ewa & BSD team 
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OGNmap: How to Use it 
Sahil Khan 

Nmap stands for “Network Mapper’. It's been seen in 
many films like the Matrix Reloaded, Bourne Ultimatum, 
Die Hard 4, etc. When Nmap was created, it could only be 
used on the Linux Platform but now it supports all the major 
OSes like Linux, UNIX, Windows, and Mac OS platforms. 
Sahil will teach you how to use it and why you should start. 


1S How to Use The Mac OS X Hackers 

Toolbox 

Phillip Wylie 
When you think of an operating system to run pen testing 
tools on, you probably think of Linux and more specifically, 
BackTrack Linux. BackTrack Linux is a great option and 
one of the most common platforms for running pen testing 
tools. If you are a Mac user, then you would most likely 
run a virtual machine of BackTrack Linux. In this article, 
Philip is going to take you through the installation and 
configuration of some of the most popular and useful 
hacking tools, such as Metasploit, on Mac OS X. If you 
are interested in maximizing the use of your Mac for pen 
testing and running your tools natively, then you should 
find this article helpful. 


= <4 Basic Unix Queuing Techniques 
Mark Sitkowski 

lt occasionally happens that our incoming or outgoing data 
cannot be processed as it is generated or, for some reason, 
we choose to process it at a later time. A typical example 
might be a client-server system, where it is necessary to 
queue the socket descriptors of incoming connections 
because of some limit on the number of active processes, 
or a message hub, which accepts data synchronously, 
but must rely on other processes to remove the data 
asynchronously. Apart from the numerous commercially- 
available third party implementations of queuing systems, 
Unix has two highly efficient queuing mechanisms, which 
can be used for extremely low overhead systems of 
queues. Read Mark’s article to find out how Unix Queuing 
Techniques work. 


<3 OHow Secure can Secure Shell (SSH) be? 
Arkadiusz Majewski, Beng 

This article is the third part of the series on OpenSSH 

and configurations and includes tricks which make 

using the protocol more secure. Arkadiusz, in his article, 

concentrates on Virtual Private Networks supported by 

OpenSSH. 
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34 Unix Interprocess Communication 
Using Shared Memory 
Mark Sitkowski 
A shared memory segment is a section of RAM whose 
address is known to more than one process. The processes 
to which this address is known, have either read only, or 
read/write permission to the memory segment, whose 
access rights are set in the manner used by chmod. 


40 Sniffing and Recovering Network 

Information Using Wireshark 

Fotis Liatsis 
Wireshark is a free and open-source packet analyzer. 
It is used for network troubleshooting, analysis, software 
and communications protocol development, as well as 
education. Wireshark is cross-platform, using the GIK+ 
widget toolkit to implement its user interface and pcap to 
capture packets. It runs on various Unix-like operating 
systems including Linux, OS X, BSD, Solaris, and on 
Microsoft Windows. Fotis will show how easy it is to obtain 
sensitive data from snooping on a connection. The best 
way to prevent this is to encrypt the data that’s being sent. 
The most known encryption methods are SSL (Secure 
Sockets Layer) and TLS (Transport Layer Security). 


46 Dynamic Memory Allocation in Unix 
Systems 
Mark Sitkowski 
It is not always possible, at compile time, to know how big 
to make all of our data structures. When we send an SQL 
query to the database, it may return twenty million rows, 
or it may return one. 


Column 


52 Technology makes a wonderful slave 
but a cruel master. Both Amazon 
and Tesco, major retailers in the UK 
and worldwide have been severely 
criticised in the media for the use of 
technology to control and monitor staff 
excessively. As IT professionals, where 
do we draw the ethical line in the sand? 
Rob Somerville 
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Nmap: How to Use It 


Nmap stands for “Network Mapper’. It’s been seen in many 
films like the Matrix Reloaded, Bourne Ultimatum, Die Hard 
4, etc. When Nmap was created, it could only be used on the 
Linux Platform but now it supports all the major OSes like 
Linux, UNIX, Windows, and Mac OS platforms. 


scanner, but now it can do the following things: re- 

mote OS detection, Time based Scanning, Firewall 
Evasion Technique, The Scripting Engine, Multi-probe 
Ping Scanning, etc... 


- rom the beginning its only job was to be a port 


Installation of Nmap 
For the installation of Nmap, go to hitp://nmap.org/down- 
load.html. On this page you can find the following options: 


¢ Downloading Nmap 

¢ Source Code Distribution (in case you wish to com- 
pile Nmap yourself) 

¢ Microsoft Windows Binaries 

¢ Linux RPM Source and Binaries 

¢ Mac OS X Binaries 

¢ Other Operating System 


Installation on Windows 

Select options as per your operating system. First, we'll 
see how to install it in Windows. Go to the Microsoft Win- 
dows Binaries. Now you can use Nmap in graphical mode 
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Figure 1. All Unzip Files 
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as well as command-line. For the command Line down- 
load click on 


Latest command-Line zipfile nmap-6.01l-win32.zip + 
For the Graphical Version click on: 
Latest command-Line self-installer nmap-6.0l1-setup.exe + 


When the download is completed, you can find the fold- 
er named nmap-6.0. First unzip the folder. After un- 
Zipping, you can find the 3 directories and 26 files. 
In the three directories named License, nselib and 
scripts, there are now four executable files: nmap, 
winpcapnmap-4.12, vcedistz008 x86, 
The fifth important file is nmap _ performance.reg file 
and the others are supporting files for running nmap 
(there is also ncat, ndiff, nmapupdate, nping but now 
we are not going to discuss them). 

After that first of all run the winpcap-nmap-4.12 and in- 
stall the winpcap. Winpcap is a packet capture library. 
Then install vcedist2008 x86, vcredist_x86 and at last, 


VCreCIst  xOG: 
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Figure 2. Registy Entry 
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double-click on the nmap_performance.reg file. This file 
is used for the entry in [HKEY LOCAL MACHINE\SYSTEM\ 


CurrentControlSet\Services\Tcpip\Parameters] 
“MaxUserPort”=dword:0000fffe + 


In the Parameters section there will be an entry of 
dword:0000fffe, which is a hexadecimal value. In the bi- 
nary it’s 65534, which means the maximum user port 
is 65534: 


“TcpTimedWaitDelay”=dword:000000le + Tcp Timed 
wait delay is 30, + “StrictTimeWaitSeqCheck”=dword: 
00000001 and nmap is wait for the seq check is 1. + 


Now you can use nmap in Windows. Go into the in- 
stalled directory and give the simple command nmap 
10.0.0.5. In the figure below, you can see the result. 
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Figure 3. Ready to use in windows 
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Linux RPM Source and Binaries 


Many popular Linux distributions (Redhat, Mandrake, Suse, etc) use the RPM package 
Tanagqenvent system for quick and easy binary package installation. These may not work 
Redhat 9 of carer doe te Libe incompatability issues. We have written 4 detailed quid 
installing our RPM packages, though these simple commands usually do the trick: 
ree whl! Attp: (frag. orgediet ne &, 0. 5. pe 

fpe -0hl) AEG: free. ore ee Seem. O-) acme. op 

rp whi) Attpy (reap, orgvdpet tna Oo], aah, ep 

ree Wh Atipe: rap. orgidietnpang 0.6.00 0 1 3, ope 

You can also download and install the RPMs yourself: 
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Figure 4. Downloading the rpm file 
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Nmap: How to Use it 


Installation on Ubuntu 

Step 1: downloading from GUI 

Visit the http:/nmap.org/download.html for Linux — you 
can download it from the shell and from the GUI interface. 
Go to the 4th option, Linux RPM Source and Binaries, 
shown in Figure 4. Click on nmap-6.01-1.1386.rom. Now it 
will download and you can see the 4.2 MB size. 


Step 2: downloading from GUI 
Go to the terminal and give the following command as 
shown in Figure 5. 


wget http://nmap.org/dist/nmap-6.00.tar.bz2 + 


After the download finishes, you can see the file named: 
hmap=6 00. bar .b22. 

Now you have to unzip this file by giving the command 
in Figure 6. 

Command is bZipZ2 =Cd. nmmap=G.00.taer.baz || 
And then you have to run these commands ./configure, 
make, make install as a root. 


tar xvi 


Basic Scanning Technique 
In the basic technique, we use Nmap without any switch. 
In this section we can see the flexibility of Nmap because 
it supports classless Inter-Domain Routing (CIDR) nota- 
tion, octet ranges, DNS names, IPv6 addresses. So how 
can we scan multiple IPs? 

Nmap gives the result in three titles. The first is PORT; 
it displays the port number or protocol. The second is 
STATE. There are six states that Nmap can result in: 


¢ Open — Open State that means the application listen- 
ing is active for TCP & UDP connection. 

¢ Close — Close State means the application is not lis- 
tening but they are accessible. 

¢ Filtered — Filtered Filtered State means the port Re- 
sponding is blocked by a packet filter; because of that 
it’s hard to identify if the port is Open or not. 

¢ Unfiltered — it’s hard to determine for Nmap port if it is 
open or closed but they are accessible. 


ga eee tl Mt Been geet | 





Figure 5. Downloading from the shell mode 
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Figure 6. Unzip nmap 
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¢ Open - Filtered — this is the mutual state where you 
don't know if the port is open or not. You have to scan 
with techniques like Null, Fin, Xmas. 

¢ Close — Filtered — Even in this state Nmap is not 
able to identify if the port is open or Closed. For in- 
formation you have to scan the IP. ID idle scan only 
is the way to know more 


This is the status of the port — Open or Closed. The 
third is SERVICE — which type of service is running on 
the port. In the last Nmap is shown a MAC address of 
the scanned system; how many hosts are up; how many 
times Nmap is consumed during scanning--most of this 
result shows in seconds. 


Scanning a Single IP/Host/Domain 
See Figure 7 & 8. Example: 


#nmap <Live Domain/hostname/IP/Range of IP/Subnet> 


#nmap 10.0.0.1 

¢nmap 10.0.0.1,2,3,4,5 

#nmap 10.0.0.1-5 

#nmap 10.0.0.0/8 

qamep: 10,0<0s1 10.0.052 1020.0.23: 10.0.0.4 10:0.0:5 


#nmap spider 


#nmap spidernet.co.in 


Ls) © 


root@spider-desktop:/# nmap 160.6.6.5 


root@spider-desktop: / 


Starting Nmap 6.00 ( http://nmap.org ) at 2012-08-02 13:66 IST 
Nmap scan report for 10.0.0.5 

Me ee Gs sls |s area hel 

INot shown: 996 filtered ports 

lal STATE SERVICE 

139/tcp open netbios-ssn 

445/tcp open mitcrosoft-ds 

7869/tcp open icslap 

3389/tcp open ms-wbt-server 

IMAC Address: 66:E6:1C:3B:65:B3 (Cradlepoint) 


Nmap done: 1 IP address (1 host up) scanned in 4.79 seconds 





Figure 7. Scanning single IP 
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Figure 8. Scanning domain 
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By default, Nmap scans the 1000 most commonly used 
TCP/IP ports. If you can compare the result then you can 


©®® root@spider-desktop: / 
root@spider-desktop: /# nmap 10.0.0.7? 16.6.0.3 10.0.0.4 10.0.0.5 


Starting Nmap 6.080 ( http://nmap.org ) at 2912-08-02 13:92 IST 
Nmap scan report for 16.6.6.2 
Host is up (6.00745 Latency). 
INot shown: 996 filtered ports 
STATE SERVICE 
open msrpc 
open netbios-ssn 
open microsoft-ds 
open wsdapi 
MAC Address: 90:26:C6:15:23:FA (Intel Corporate) 


ary et pM le) ae) ee se | 
Host is up (6.600014s Latency). 
ALL 1900 scanned ports on 10.0.0.3 are closed 


aes scan report for 10.6.6.4 

ia is up (6.080145 Latency). 

Not shown: 998 filtered ports 

Vea STATE SERVICE 

j2z/tcp open ssh 

\631/tcp closed ipp 

MAC Address: 60:E£0:40:40:12:D9 (Realtek Semiconductor) 


RuET scan report for 19.0.0.5 
Host is up (9.000185 Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
open netblos-ssn 
open microsoft-ds 
open icslap 
mt 
MAC Address: 6©0:E66:1C:3B8:65:B3 (Cradlepoint) 





Nmap done: 4 IP addresses (4 hosts up) scanned in 12.15 seconds 





Figure 9. Multiple IP addresses 


©®® root@spider-desktop: / 
root@spider-desktop:/# nmap 10.6.0.2-5 


Starting Nmap 6.0060 ( http://nmap.org ) at 2012-08-07 13:64 IST 
Nmap scan report for 160.6.6.2 
Host is up (8.8635s Latency). 
Not shown: 996 filtered ports 
| STATE SERVICE 
v]' Tee 
open netbios-ssn 
a) Le ete ker 
eye] tee] eae 
MAC Address: 06:26:C6:15:23:FA (Intel Corporate) 


Nmap scan report for 10.0.06.3 
Host is up (8.980014s Latency). 
ALL 1666 scanned ports on 16.6.6.3 are closed 


Nmap scan report for 10.0.0.4 
Host is up (0.00015s latency). 
Not shown: 998 filtered ports 
STATE SERVICE 
open ssh 
631/tcp closed ipp 
MAC Address: 00:£0:4C:40:12:D9 (Realtek Semiconductor ) 


urs] eee =) oe) a a] es es es 
Host is up (6.060019s Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
open nethios-ssn 
open microsoft-ds 
icslap 
ms-wbt-server 
MAC Address: 00:E£0:1C:36:65:B3 (Cradlepoint) 


Nmap done: 4 IP addresses (4 hosts up) scanned in 11.82 seconds 








Figure 10. Range of IP address 
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see that in Figure 7 when we scan the system it shows a 
MAC address of the LAN Card. In Figure 8, you can see 
there are so many ports Opened and Closed but it could 
not be shown as a MAC address here. Next, we will scan 
Multiple IPs with the use of different shorthand notation. 


Multiple IP Scanning 

You can scan multiple IPs in different ways. The first is by 
providing full IP addresses as seen in Figure 9. You can 
also provide the range of IP addresses (see Figure 10), 
or by giving comma of every IP address (see Figure 11). 
The result is shown in the figures. 


root@spider-desktop:/# nmap 16.6.0.2,4,5 


Starting Nmap 6.00 ( http://nmap.org ) at 2012-08-02 13:03 IST 
Nmap scan report for 10.0.6.2 
Host is up (0.002775 Latency). 
Not shown: 996 filtered ports 
STATE SERVICE 
open msrpe 
open nethios-ssn 
open microsoft-ds 
fell) tar | 
MAC Address: 66:26:06:15:23:FA (Intel Corporate) 


Nmap scan report for 16.6.6.4 

Host is up (@.00014s Latency). 

Not shown: 998 filtered ports 

ela STATE SERVICE 

22/tcp open ssh 

631/tcp closed ipp 

MAC Address: 00:E0:4C:4D:12:D9 (Realtek Semiconductor) 


Nmap scan report for 10.6.6.5 
Host is up (0.00018s Latency). 
: 996 filtered ports 
STATE SERVICE 
open nethios-ssn 
open microsoft-ds 
open ticslap 
ey el] het Le 
MAC Address: 660:E66:1C:38:65:B3 (Cradlepoint) 








Nmap done: 3 IP addresses (3 hosts up) scanned in 9.23 seconds 
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Figure 12. Firewall isnot on 
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Nmap: How to Use it 


Host Discovery Scanning Technique / Ping 
Scanning Technique 

Host Discovery OR Ping Scanning Technique is very use- 
ful. When we ping any host, we get information about 
whether the host system is live or not. In large organiza- 
tions many administrators have blocked ICMP ping, so it’s 
difficult to know if the system is live or not. Let’s see an ex- 
ample. This is the 2003 Enterprise server. In this server if 
we do not start the firewall (you can see in Figure 12) then 
you get the pinging. So it’s easy for us to find out whether 
the system is live or not. You can see the response of ping 


H:=\nmap-6.61>ping 192.168 .1.166 
Tae ee eee ee ee ee a 


Reply from 192.168.1.168: 
Reply from 192.168.1.168: 


hbytes=32 time=-ims TTL=128 
bytes=32 time=2ms TIL=128 
Reply from 192.168.1.168: bytes=32 time=ims TTL=128 
Reply from 192.168.1.168: bytes=32 time=ims TTL=128 


Ping statistics ah 192.168 .1.188: 
Packets: Sent 4. Received 4. Lost = 
Approximate le ares ee a ake eee 
RR RULE ims, Maximum ems, Average 








Figure 13. Getting the response 
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H:\nmap-6 .41>ping 192.168.1.188 
see ee eS ee ee a 


timed out. 
timed out. 
timed out. 
timed out. 


Ping statistics for 192.168.1.168: 


Packets: Sent = 4, Received = @, Lost = 4 (188 loss>, 


Figure 15. Not getting reply 
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Figure 16. -sP Result 
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replay in Figure 13. But if we activate the firewall then af- 
terwards if we ping the system, it’s very hard to find out 
whether the host is live or not. As per Figure 14, you can 
see if we activate the firewall after that we are unable to 
ping the system as we do not get any response of ICMP 
echo request see Figure 15. 


Ping Scan 

In this condition, it's hard to know if the host is up or not 
here. Nmap is performing an important role. If you want to 
ping only and know that the system is live, then use -sP 
command. Also refer to Figure 16. 


Syntax 
# nmap -SP <IP / Hostname > #nmap -sP 192.168.1.100 


This option is also termed a Ping sweep. This is the 
most useful option for administrators if they want to 


= Windp-b.Blenmap -3L wu.spidernct.co.in24 


PSE GE rae ee Te de er Pet 16°46 India Standard Tine 
Stan Peport for seryer nuedgedesigns.com « 54. i 
report for s Ce ttt eae ate 
Faport For Ae eee ae ae 
report Por server. nuedgedesig eee eee 
FapoOrt for edie Malshosch ehh bc: ac mee ee. 
Ta LL al ed tt eee Tee Ee = oe 
report For server .nucdg¢edesigns.c ee 
report For lt Aa hh al tl j ao oe 
report For insuco.xpress. han A oe en et 
Report For insuca ps Lae oo: 
report for insuce ' -om.mx (104.154. 
report For insucea Lu ee ee ee 
eeguorh four toxic. x ee ee 
report for insuco.xpre: ts ea 
ee a a ee eed ee Lo i 
report For insuco.xpress.com.mx £14$41.154. 
report For 16.63.154. 184 unassigned ord - + 
report for 17.69.154.1804.unassigned.ord.singlehop. 
Feaport for 18.63.154.184.unaccigned.ord.cinglehop. 
ny ae ek ee ee ie Tee ot eee ed 
FapoOrt for th ai i 
regal For 
report For 
report For 
report For 
report For 
report for 
report for 
reyurl Four 
report for 
= i fur : 
‘t For 5 ee ee ee eee ee de ee 
aE uperdomainzone com (184_1594_67. 
report For Pew Cure Ret eee ee ee me ee ee 
Faport For ether ee eee ee ee eee ee 


1lunassigned.ord.singlchop. 


eee ee 
| al 





| Re De Pea OT i et a 


ptart ing Te i. a q i a es ee ee eo eae 
ca 5 Fi eft a eee A ee | 
ae : 4 te es er ae La) 
K "5513? eT : a requested to 172.168.1.1=253 {10D Hi? EID & 
ee UMC ee a a a A A eT ee Me | 


»5618¢7 Write hi For 44 sla are ee ee | eo ee ee ee 
oS ee re ie LOL eee 
Sek ee GOMNEGI SUCCESS for EID 8 [192.168.1.1:531 
ee ye ee ee ed | eae Oe ee 
PT heer ec) Pe ete ed ee ere ee ee 
Poe See CM Cee ee a eT ee | ee ee eS Ls | 


»518Bs? nai_deletet> ay ae 
Be ee ee eee Ce a hl Oe 
eee re ets Lae a eee ee ee | a ge es oe oe el ed 
seq=l738267741 win=1024 <¢mec 1468> 
ree ee eee ts ee ee ee ee Te ee ee ee ee De 
ce Raa LS Li a Aa a 
ee a | ee 192.1684 _3 2) i ee eee Te ee ee Be LL 
ccd Re OL ee 2 Te a a ro A P 
es ee ee eee ee ee eee ate 
Cty fe Mtge Dg el Pa win=1A24 ¢mas 1468) 
dg ce ee ee sn eee 
Peep ee Ls eT eae 
, eee et) oe ey ee ee ee | ee eee ee ee eS A A a wl oe ed) 
4 seq-LV36267741 win=-L824d «mes 1468> 
ee ee ee ee ee er eT ee oe ee ee Ved} 
cL sa SL ae OP 
Ce eee ie ie epee ses | ee ee ee ee OD 
eS eae teat on Saher z 


SRO St ee ea de ee 


SE LS a aa es a es] a 


Pe ee ee ed ee OC] 
Pe ee MS ee Ra Aa te ed | 





: Ic oP ae 
ee blir Pe arth uy PPTs Es 


Figure 18. Packet Trac 


BSD 


MAGAZINE 


10 











check the network they use with CIDR also. This com- 
mand is valuable because it’s not going to do further 
query like Port Scanning, Service, OS detection, etc. 
It’s also easy to use. 


Host List Scanning 
Syntax 


# nmap -sL <IP / Hostname / Domainname > #nmap 


-sL www.spidernet.co.in 


In every Nmap’s switch commands are easy to remem- 
ber because of the short form (like -sL, which means 
scan List or List Scan). When you give the command -s1. 
then you tell nmap to scan the reverse DNS lookup to 
the host / IP range / or from specific domain in the above 
Figure 17. You can see the spidernet.co.in in all lists of 
the NS Server. Really important information is revealed 
after the option -st. You can find the purpose the IP ad- 
dress is used for and the location of the IP. When the 
command is executed nmap -si that means it’s not to 
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send any packet to the target system. It works like a thief 
— it steals the information without an alert on the host 
IDS system and simply prints it. 


Scanning Without Ping 

When you ping the target host, our machine sends thou- 
sands of packets and also receives the thousands of 
packets (see Figure 18) to the system. This internal pro- 
cess is time consuming. This option is useful, for example, 
if the administrator knows the system is up in his list then 
there is no point to ping. If he uses the -PN option then he 
will get all of the ports’ information and he will save time. 
This is also shown in Figure 19. 


Syntax 


# nmap -PN <IP / Hostname / Domainname > #nmap -PN www. 


Spidernet.co.in 


TCP SYN Ping 

This ping is based on a particular port based ping. The op- 
tion of -ps is used with any port. It is referred to as a TCP 
Syn ping because the SYN Flag is going to tell the target 
system that the connection establishment is in process. 
If the port is closed then the packet is sent back, but if the 
port is open, then it will proceed further. The Target sys- 
tem will send the ACK packet back to us, SYN will probe 
to the port 80, and a reply will be received from that port. 
You can see in Figure 20 that the 2003 server ICMP is 
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blocked. In this situation, if we try to identify whether the 
machine is up or not and we ping the target Machine, then 
we get “Request time out” (see Figure 15). In this case 
if the ICMP is blocked but the WEB Server is running on 
PORT 80 and the site is up (see Figure 21), then our work 
will be easy. We send to Nmap the option -PS80 and we'll 
know whether the target host is available or not. 


Syntax 


# nmap -PS <Any Port> <IP / Hostname / Domainname > #nmap 
=Poou 192. 1)6021.100 


Here we also use -sp for ping scan. Nmap gives so much 
flexibility in the use of different options simultaneously. 


TCP ACK Ping 

Similarly, TCP ACK Ping is also available in Nmap op- 
tions. ACK ping is the same but there is a small difference 
between that and SYN ping. 


Syntax 


# nmap -PA <Any Port> <IP / Hostname / Domainname > #nmap 
=PAOU | 192360 2.1.100 


Nmap has these two options because there is a chance 
to bypass the firewall. If SYN ping does not work and ad- 
min blocks that, then ACK is useful in this case. 
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UDP Ping 

UDP is a discovery option that sends the empty packet to 
the target host and admin only filters the TCP packet in 
the firewall. If it’s poorly configured then you will get the 
response that it will allow you to get the information from 
the host. UDP ping uses the default probe port 31.338. 
You can also change this option in Nmap. 


Syntax 


# nmap -—PU<Any Port> <IP / Hostname / Domainname > #nmap 
=PU 192.16¢8.1.100 


Three different ICMP Ping Scans 

There are three different ICMP ping scans available in 
Nmap: 1) ICMP echo ping with option -PE; 2) ICMP Time- 
stamp Ping with -PP; 3) ICMP Address Mask Ping -PM 


1) ICMP echo ping -PE option is best in LAN and Inter- 
net by default. If you are not given any ping option, 
then -PE is applied. 

2) ICMP Timestamp ping uses ICMP code 14. Some im- 
properly configured systems may still reply to the IC- 
MP timestamp. 

3) ICMP address Mask ping uses ICMP code 18. 
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ICMP Echo Ping Syntax 


# nmap -PE <IP / Hostname / Domainname > 


#nmap -PE 192.168.1.100 
ICMP Timestamp Syntax 


# nmap -PP <IP / Hostname / Domainname > 


#nmap -PP 192.168.1.100 


ICMP Address mask Syntax 


# nmap -PM <IP / Hostname / Domainname > 


#nmap -PM 192.168.1.100 


IP Protocol Ping 

Here you can see the tremendous flexibility of Nmap; -PO 
option is used for IP protocol scanning (for instance if you 
want to scan ICMP, IGMP, or other). The default is IC- 
MP-1, IGMP-2 and IP in IP-4. (see Figure 23). 


Syntax 


# nmap -PO1,2,4 <IP / Hostname / Domainname > 
#nmap -PO 192.168.1.100 


Other Important option for Host Discovery 
technique 

Nmap is really in-depth so it’s not possible to see all the op- 
tions in practice. Here, I'll show you some important Nmap 
switches. All of these options are used for host discovery 
techniques — you can use them as per your requirements: 


--packet-trace 

In Figure 18: Packet Tracing, you can find out how many 
packets are sent by nmap and received; you can even find 
the information about sequence number, Time to Live val- 
ues, and TCP flag information. 
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--data-length <length> 

If the Intrusion Detection System detects your scan, then you 
can also use this option because from --data-length switch 
you can control the length of bytes of data to every packet. 
This option also works with connectionless and connection- 
oriented protocols like TCP, UDP and ICMP also. 


-n 
-n option is used for disabling all DNS resolutions 


-R 
-R option enables all DNS Queries against the host. If the 
target host is down then it does not matter. 


--dns-servers <dns server1> {, <server2>[,... ]} 

dns server’ — this is used for reverse query. This switch 
will directly go to the registry if the system is a Windows 
server, and if it’s a Linux system, then it will try to read 
the resolve.conf file to obtain some important information 
about the dns server. 


Advanced Scanning Techniques 

TCP Connect Scan -sT 

TCP Connect scan is an advanced scanning technique. 
First, it will request the target host for the connection 
sending by the SYN packet on any port like port 22, then, 
if the port is open, the host sends back an acknowledg- 
ment that it is open. 

Again the system is going to connect with the target sys- 
tem, once the connection is finished then nmap -st will 
start scanning the system. When all processes are done, 
the connection will be closed. In this technique there is also 
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Figure 29. FIN scan Result 
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a drawback included. If the target system has an IDS, then 
it will catch you and generate a log after scanning, allowing 
the admin to easily see which IP scanned his system. 

You can see the below Figure 24 to understand how the 
connection is established and closed. This is the disad- 
vantage that they developed the TCP SYN / Stealth Scan 
-ss for. It’s opposite the -st option. You can see the result 
of -st in Figure 25. 


Syntax 


# nmap -sT <IP / Hostname / Domainname > #nmap -sT 


192 2166.1 3100 


TCP SYN Scan -sS 

This type of scan needs a root privilege for the scanning. 
It's also called a stealthy scan because it does not need 
a full-fledged connection to the remote host. By default, 
i's a scan that is most common. Thousands of used TCP 
ports per second do not give any opportunity attention to 
the firewall. 


Syntax 


# nmap -SsS <IP / Hostname / Domainname > #nmap -sS 


192 e168 ols LOU 
UDP Scan -sU 


User Datagram Protocol (UDP) Services are scanned and 
enabled by the -su switch. It is slower if we compare it with 
the TCP scan but it’s more important because it’s more 
complex than TCP. Many admins ignore this port because 
of its greater difficulty than TCP; it’s a big mistake because 
some attackers are used to scanning this port which you 
can see below in Figure 26. Once we scan the 2003 serv- 
er, we can see that ports 53, 123, and others are open. 


Syntax 


# nmap -SU <IP / Hostname / Domainname > #nmap -sU 


192 216621.100 


UDP sends an empty header to every port. UDP shows 
four states: Open, Open|filtered, Closed, and Filtered. 
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All are different. Open means any UDP is respond- 
ing from host. Open|filtered means you can't get any re- 
sponse, even retransmission. Closed means the ICMP 
echo request is unreachable. Filtered means the ICMP is 
unreachable with different code and type. By default, the 
UDP scan is slow but if you want to speed the UDP scan 
then you have to put in a different option with -su. You 
can also control the slow host by putting -nost-timeout 
option, -v option for the enabled verbosity mode, etc. 


TCP Xmas, Null, and Fin Scans with --scanflags 

Before we understand Xmas, Null and Fin Scan, we need 
to know what happens when a connection is established 
with SYN, FIN, ACK, URG, PUSH and RESET flag. SYN 
and Fin Flags are used for connection establishment and 
close the TCP Connection. ACK flag is set so that the ac- 
knowledgment field is valid, and gets the attention from 
the target system. The URG flag narrates the Segment 
containing urgent data, while the PUSH flag terms as a 
sender invoke the push operation, which indicates to the 
receiving side of TCP that it should notify the receiving 
process of this fact. Finally, the RESET flag is denoted, 
as the receiver has become confused and wants to abort 
the connection. Now, let’s see what the Xmas Scan can 
do. This scan is turned On or Off by sending bytes much 
like the Christmas tree. A closed port is a response to an 
Xmas tree scan with RST as you can see in Figure 27. 


Syntax 


# nmap -sX <IP / Hostname / Domainname > #nmap -sX 


192. 16621.100 


TCP Fin Scan 

In this scan, TCP Fin bit is active when packets are sent in an 
attempt to solicita TCP ACK from the destination target host. 
This is another choice for Scanning and gathering informa- 
tion from the Target system which is protected by Firewall. 


Syntax 


# nmap -SF <IP / Hostname / Domainname > #nmap -SF 


192 266 71.6100 
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TCP Null Scan 

TCP Null scanning is fast compared to other Port scan- 
ning options. From this scan, the TCP flags are enabled 
and you can find that the packet header is 0. If the Port is 
closed on the target machine then the Null scan will not 
send flags in the packet header. Its reply will be by the 
RST Packets. This type of scanning has a major advan- 
tage of scanning through stateless firewalls or ACL filters. 


Syntax 


# nmap -sN <IP / Hostname / Domainname> #nmap -sN 


LOZ GCs 1. LOD 


You can find similarity in all Figures of the TCP scan 
FIN, Null and Xmas observed in Figures 28, 29, 30 as 
you see that the result is the same. You can customize 
these three scans with the -scanflags. This option pro- 
vides a lot of flexibility in scanning. 


Syntax 


# nmap --scanflags FINACKURGPSH <IP / Hostname / 
Domainname> #nmap --scanflags FINACKURGPSH 192.168.1.100 


TCP ACK Scan 

First we have to understand the result that the ACK scan 
gives. Unfiltered -(TCP RST response) means special 
rules apply on the target's firewall. Filtered -(ICMP un- 
reachable error OR No response) means the system is 
protected by the firewall. You can see in Figure 32 that 
“All 1000 scanned ports on 192.168.1.100 are unfiltered.” 


Syntax 


# nmap -SA <IP / Hostname / Domainname > #nmap -sA 192.168.1.100 
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Other Important options for Advanced 
Scanning techniques 

In advanced scanning there are so many options that are 
available but we will not cover them all. 


--send-eth 

This option tells Nmap to bypass the IP layer on your sys- 
tem and send raw Ethernet packets on the data link layer. 
It's a rarely used option. 


Syntax 


# nmap -send-eth <IP / Hostname / Domainname> #nmap -send- 


eth 192.168.1.100 


-sO 

This option is used for Scanning Protocol. From this scan 
you know which protocol is running on the target host. The 
most common protocol is TCP, UDP and ICMP. You can 
see Figure 33 while the 2003 server is scanning. 


send-ip 

These options forcefully tell Nmap to scan using the lo- 
cal system’s IP stack instead of generating raw Ethernet 
packets. It is used in rare cases. 
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Figure35. -sV Scan Result 
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Figure 36. -sV Scan Result 
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Name Based Port Scanning 

Multiple use of -p 

-p option has multiple uses because you can scan based 
on the service name like smtp, pop2 etc, and you can al- 
so scan on the port number like 53, 25 etc. This is the 
most flexible option ever because if you want to scan with 
the UDP or TCP port, then you have to simply define the 
U:[Port number] or T:[Port number]. You can also use the 
wildcard with -p “*”. This tells Nmap to scan all ports. 


Syntax 

# nmap -p [port number with comma or range] <IP / Hostname 
/ Domainname> 

imap =p 25,80,53-200.192.,168.1.100 

# nmap -p [name] <IP / Hostname / Domainname> 

#nmap -p smtp,http 192.168.1.100 

# nmap -p U: 

/ Hostname / Domainname> #nmap -p U:53,T:25 192.168.1.100 


[port number] T: [port number] <IP 


# nmap -p “*” <IP / Hostname / Domainname> #nmap -p “*” 


192 166212100 


OS & Service Scanning 

Operating System Detection 

For OS detection mostly one port is open or one port is 
closed. -o option is used for knowing which operating 
system is running on the target system. You can see in 
Figure 34. This is the Windows 2003 server and in Figure 
35 Ubuntu is installed. 
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Figure 38. Decoy Result 
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Syntax 


# nmap -O <IP / Hostname / Domainname> #nmap -O 


192166212100 


Service Detection 

Service Detection option is used as the -sV option. From 
this option you can find which service is running on the 
target host. 


Syntax 


# nmap -sV <IP / Hostname / Domainname> #nmap -sV 


192.168.1.100 


Guess Unknown OS 
This scan shows you the possible matches for the target OS 
system. For this scan, you can use -osscan-guess option. 


Syntax 


# nmap -osscan-guess <IP / Hostname / Domainname> 


#nmap -osscan-guess 192.168.1.100 


Firewall Evasion Technique 

Spoof MAC address 

In this example, you can see that Nmap generates a fake 
MAC address used for scanning. There are three options 
for spoofing MAC addresses. The first one is to give 0; 
-nmap will then generate random MAC addresses of any 
company like 3com or other. You can even specify the 
MAC Address, and you can give the Vendor name also. 


et 1) fA Ta is dsr Ped a st eee to el 


Starting Knap 6.81 ¢ ht ae ee eee ee ee ce et ee 
imap tcan report for L?2 
ie a ca OA | st Be Eerie 
is aL 981 cloced porte 
i aA We en 0 8 
open ftp 
open domain 
open http 
open kerberosz—sec 
ee a ee al BL) 
open nethios—san 
TL ce 
open microsoft—da 
CO Lo ae 
open http-rpc-epmap 
Ue if oe 
poopen MFS-or-IITs 
eee ee 
Paste Lm ey] 
aL el wi 
popen ebl 
Pe Ty rr 


A ed | 
a 1.188 


popen globalcatLDAP 
Pe eee eee 
i ee al ele gee 35 tRealtek Semiconductors 


es nT 
tA pl 1g: 


ost script precults: 

He st ee eed ee i) 

H ee ia ed | ie CC ed eed | | on ea 
Lonputer name: spider—-chbhForilc 
itch enn rele aes eo ee 
Forest name: Da 
PLL eee Ce ee ee ee 
HetBI0S conputer name: 
eC ee 
bo od] 0 dS te ee 


ee ee i eee 


Pa te mee 


SPIDER-CKEFSRGC 
aa 





ue ym eet yt C1 hoet up? scanned in 4.88 ceconds 
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Syntax 


# nmap -spoof-mac [vendor | MAC | 0] <IP 


/ Hostname / Domainname> #nmap -spoof-mac 0 192.168.1.100 


Decoy Use 

Decoy option gives the best performance during scanning 
because it generates additional packets and creates a vir- 
tualization that the system is scanned by multiple systems. 
From this option, it is hard to trace which system is scan- 
ning OR where the scanning is coming from. You can spec- 
ify the decoys like decoys1, decoys2, etc., see Figure 38. 


Syntax 


# nmap -D RND:Number of Decoy <IP / Hostname 
/ Domainname> #nmap -D RND:10 192.168.1.100 


Nmap Scripting Engine 

“nmap --script smb-os-discovery 192.168.1.100* + smb- 
os-discovery gives you the result (which OS is running on 
the target system). 


Syntax 


# nmap --Sscript smb-os-discovery <IP / Hostname 
/ Domainname> #nmap --script smb-os-discovery 


192 1662121004 


Figure 39: -smb-os-discovery 2) “nmap --script smb-sys- 
tem-info 192.168.1.100* --script smb-system-info is giv- 
ing the information about the system. 


Syntax 


# nmap --script smb-system-info <IP / Hostname 
/ Domainname> # nmap --script smb-system-info 


192. 166s. LOO 


Pa a ed ee) ee eee a, ee 
at 2812 88 15 26:96 Indian Standard Tine 


tues ee ee ett 1) script smb 


Starting Hmnap 6.81 € https gE ra 
nap can beport for 172.168. 1.168 
i 4 TO ee ee ye 


=e Pee eRe Oe nae 
RTATE SERUICE 
open Ftp 
open domain 
open http 
open kerberor—cec 
td) ae 
open nethios—-cen 
open Idan 
Ce ee 
TO Le ae Le essere 
open http-rpe-cpnap 
SL) <A om | 
res Me | ee ee 
p open LSA-or-ntern 
ZHetcp open unknown 
ey ea 
fas aL 
Fay es | ra 
TL ane Pe 
ep open gqlobalcatLIGPeel1 
aBGN = oi SL ieee 9 eae as Ets ec ee ed ee ee ee) 





Heap dune: 2 IP whdeess €1 host up? veanned in 4.76 vecunmdls 
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Nmap: How to Use it 


Nmap is very complex. There is also a time based 
scanning technique that is available and an Nmap 
Scripting Engine which is a very useful option in Nmap. 
Using this option, you can find all the information on us- 
ers, shares, etc. NSE scripts define a list of categories 
they belong to. Currently defined categories are auth, 
broadcast, default, discovery, dos, exploit, external, 
fuzzer, intrusive, malware, safe, version, and vuln. Cat- 
egory names are not case-sensitive, NSE scripts con- 
sist of a handful of descriptive fields, a rule defining 
when the script should be executed, and an action 
function containing the actual script instructions. Values 
can be assigned to the descriptive fields just as you 
would assign any other Lua variables. 
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How to Use The Mac OS 





X Hackers Toolbox 


When you think of an operating system to run pen testing 
tools on, you probably think of Linux and more specifically, 
BackTrack Linux. BackTrack Linux is a great option and one 
of the most common platforms for running pen testing 
tools. If you are a Mac user, then you would most likely run a 


virtual machine of BackTrack Linux. 


hile this is a great option, sometimes it is nice 
VV to have your tools running on the native oper- 

ating system of your computer. Another ben- 
efit is not having to share your system resources with a 
virtual machine. This also eliminates the need to trans- 
fer files between your operating system and a virtual 
machine, and the hassles of having to deal with a vir- 
tual machine. Also by running the tools within OS X, 
you will be able to seamlessly access all of your Mac 
OS X applications. 

My attack laptop happens to be a MacBook Pro and 
| started out running VirtualBox with a BackTrack Linux 
virtual machine. | recently started installing my hacking 
tools on my MacBook Pro. | wanted to expand the tool- 
set of my Mac, so | started with Nessus, nmap, SQLMap, 
and then | installed Metasploit. My goal is to get most, if 
not all, of the tools | use installed on my MacBook Pro 
and run them natively within OS X. Since Mac OS X is 
a UNIX based operating system, you get great tools that 
come natively with UNIX operating systems such as net- 
cat and SSH. You also have powerful scripting languag- 
es installed such as Perl and Python. With all of the ben- 
efits and features of the Mac OS X, there is no reason 
to not use Mac OS X for your pen testing platform. | was 
really surprised to see that there’s not a lot of information 
on the subject of using Mac OS X as a pen testing/hack- 
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ing platform. Metasploit was the toughest application to 
get running on Mac OS X and that was mosily due to 
the PostgreSQL database setup. The majority of hack- 
ing tools are command line based, so they are easy and 
fairly straightforward to install. 

In this article, | am going to take you through the instal- 
lation and configuration of some of the most popular and 
useful hacking tools, such as Metasploit, on Mac OS X. 
lf you are interested in maximizing the use of your Mac 
for pen testing and running your tools natively, then you 
should find this article helpful. 


The Tools 

The pen test tools we will be installing are must-haves and 
all of them are free, with the exception of Burp Suite and 
Nessus (although Burp Suite has a free version, which of- 
fers a portion of the Burp Suite tools for free). The tools of- 
fered for free with Burp Suite are useful tools and | highly 
recommend them. The professional version of Burp Suite 
is reasonably priced. 


e Metasploit Framework 


¢ Nmap 

¢ SQLmap 

¢ Burp Suite 
e Nessus 
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¢ SSLScan 

e Wireshark 
¢« TCPDUMP 
¢ Netcat 


Metasploit Framework 

The Metasploit Framework is one of the most popu- 
lar and powerful exploit tools for pen testers and a must 
have for pen testers. The Metasploit Framework simpli- 
fies the exploitation process and allows you to manage 
your pen tests with the workspace function in Metasploit. 
Metasploit also allows you to run nmap within Metasploit 
and the scan information is organized by project with the 
workspace function. You can create your own exploits and 
modify existing exploits in Metasploit. Metasploit has too 
many features to mention in this article, and the scope of 
this article is to demonstrate how to install Metasploit and 
other pen testing tools. 


The Install 

Before we install Metasploit, we need to install some 
software dependencies. It is a little more work to install 
Metasploit on Mac OS X, but it will be worth it. Listed be- 
low are the prerequisite software packages. 


Software Prerequisites 


¢ MacPorts 

¢ Ruby1.9.3 

¢ Homebrew 

¢« PostgreSQL 


MacPorts Installation 
Install Xcode 


¢ Xcode Install from the Apple App Store, or it can be 
downloaded from the following URL; https://develop- 
er.apple.com/xcode/ 

¢ Once Xcode is installed, go into the Xcode preferences 
and install the “Command Line Tools”. (See Figure 1) 


Install the MacPorts app 


¢ Download and install the package file (.dmg) file from 
the MacPorts web site; https:/distfiles.macports.org/ 
MacPorts/ 
Once the files are downloaded, install MacPorts. 
More information on MacPorts can be found here: 
http:/www.macports.org/install.php 

¢ Run MacPorts selfupdate to make sure it is using the 
latest version. 
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From a terminal window run the following command: 
S$ sudo port selfupdate 


Ruby 1.9.3 
Mac OS X is preinstalled with Ruby, but we want to up- 
grade to Ruby 1.9.3 


¢ We will be using MacPorts to upgrade Ruby. 
From a terminal window run the following command: 


S sudo port install rubyl9 +nosuffix 


¢ The default Ruby install path for MacPorts Is: /opt/local/ 
It’s a good idea to verify that the PATH is correct, 
so that opt/local/bin is listed before /usr/bin. You 
should get back something that looks like this: 


/opt/ local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/ 


sbin:/sbin 


You can verify the path by entering the following syn- 
tax in a terminal window: 


S echo SPATH 

To verify the Ruby install locations, enter this syntax: 
$ which ruby gem 

You should get back the following response: 


/opt/local/bin/ruby 
/opt/local/bin/gem 
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Database Installation 

A database is not required to run, but some of the fea- 
tures of Metasploit require that you install a database. 
The workspace feature of Metasploit is one of the re- 
ally nice features of Metasploit that requires a da- 
tabase. Workspace allows easy project organiza- 
tion by offering separate workspaces for each project. 
PostgreSQL is the vendor recommended and supported 
database, but MySQL can be used. In this article, we will 
be using PostgreSQL. 

We will use Homebrew to install PostgreSQL. | tried a 
few different installation methods, but this is the easiest 
way to install PostgreSQL. Homebrew is a good method 
to install Open Source software packages. 


¢ First we will install Homebrew. 
From a terminal window run the following command: 


S ruby -e “S(curl -fsSkL raw.github.com/mxcl/homebrew/go) ” 


¢ Next we will install PostgreSQL using Homebrew. 
From a terminal window run the following command: 


S brew install postgresql 
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Figure 2. This is one of the many Metasploit screens you will see when 
launching Metasploit 
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¢ Next we initialize the database, configure the startup, 
and start PostgreSQL. From a terminal window run 
the following command: 


initdb /usr/local/var/postgres cp /usr/ 
local/Cellar/postgresql/9.1.4/homebrew.mxcl. 
postgresgl.plist ~/Library/LaunchAgents/ 
launchctl load -w ~/Library/LaunchAgents/ 
homebrew.mxcl.postgresql.plist pg ctl -D / 
usr/local/var/postgres -1l /usr/local/var/ 


postgres/server.log start 


¢ Database configuration 
In this step we will create our Metasploit database 
and the database user. 
¢ The Homebrew install does not create the post- 
gres user, SO we need to create the postgres user 
to create databases and database users. 
At a command prompt, type the following: 


CreaLleuser postgres user =P 
Enter password for new role: password 
Enter it again: password 
Shall the new role be a superuser? (y/n) y 


Shall the new role be allowed to create databases? (y/n) y 


43> WU? 4? AO 40 4 


Shall the new role be allowed to create more new roles? 


(y/n) y 


¢ Creating the database user 
At a command prompt, type the following: 


Greateuser msi ussr =P 

Enter password for new role: password 
Enter it again: password 

Shall the new role be a superuser? (y/n) n 


Shall the new role be allowed to create databases? (y/n) n 


49 AW? 4? 4? 40 AD 


Shall the new role be allowed to create more new roles? 


(y/n) n 


¢ Creating the database 
At a command prompt, type the following: 


S$ createdb --owner=msf user msf database 


¢ Install the pg gem. 
At a command prompt, type the following: 


S$ gem install pg 


The database and database user are created, so now it 
is time to install Metasploit. 
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Metasploit software installation 
The dependencies have been installed and next we will 
install the Metasploit software. 


¢ Download the Metasploit source code for installa- 
tion using the link provided below and do not down- 
load the .run file from the Metasploit download page. 
Download the Metasploit tar file from: http://down- 
loads.metasploit.com/data/releases/framework-lat- 
est.tar.bz2. 

¢ Once the download is complete, untar the file. If you 
have software installed to unzip or untar files, then it 
should untar the file when the file is finished down- 
loading. | use Stufflt Expander and it untarred the 
file for me upon completion of the download. If you 
need to manually untar the file, type this command 
at the command line and it will untar the file into the 
desired directory: 


S$ sudo tar -xvf framework-lastest-tar.bz2 -C /opt 
If the file was untarred for you as mentioned, you will 
need to move the Metasploit source file structure to 


the opt directory. Your directory structure should look 
like this: 


/opt/metasploit3/msf3 





Starting Metasploit 

Now that Metasploit is installed, we will start Metasploit for 
the first time. You will need to navigate to the Metasploit 
directory and start Metasploit. 


¢ Navigate to the Metasploit directory with the following 
syntax entered at the command line: 


S cd /opt/metasploit/msf3 
¢ To start Metasploit, simply enter the following syntax: 
S$ sudo ./msfconsole 


You will get one of the many Metasploit screens like 
the one in Figure 2. 


Connecting to the database 

In this next step, we will connect Metasploit to our Post- 
greSQL database. From the Metasploit prompt, type the 
following syntax: 


msf > db connect msf_user:password@127.0.0.1/msf database 


You will see the following message and you should 
be connected. 





Database Backend Commands 


creds List all credentials in the database 


deeecnnect Conmicer ter an existing eatabcace 


coeeisconnecr 





Listing 1. Database Backend Commands as displayed in the Metasploit console 


Disconnect from the current database instance 


dpeexport Export a file containing the contents of the database 
dbo import Import a scan result file (filetype will be auto-detected) 
db nmap Executes nmap and records the output automatically 
dboyrebu tidy ecaenem ek ebulds sie database] svored mode cache 

db stabis SHOW) ENE elerent Weakdbase Stabs 

H@sies fist all hosts in the database 

ihOoits List all loot in the database 

notes List all notes in the database 

services List all services in the database 

vulns List all vulnerabilities in the database 

workspace Switch between database workspaces 
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[*] Rebuilding the module cache in the background... 
Type in the following syntax to verify the database is connected: 
msf > do status 


You will get the following back verifying the database 
is connected: 


[*] postgresql connected to msf database 


The database is now connected to Metasploit, but once 
you exit Metasploit the database will be disconnected. To 
configure Metasploit to automatically connect on startup, 
we will have to create the msfconsole.rc file. 

Enter the following syntax at the command prompt: 


$ cat > ~/.msf3/msfconsole.rc << EOF db connect 
-y /opt/metasploit3/config/database. yml 
KOF 


Updating Metasploit 

Now that we have Metasploit installed and configured, we 
will update the Metasploit installation. From the command 
prompt, type the following syntax: 


S ./msfupdate 


This can take a while, so just sit back and let the update 
complete. Make sure to update Metasploit frequently so 
you have the latest exploits. 


The benefits of Metasploit with database 

Now that Metasploit is installed, the database is connected 
and ready to use. So what can you do with Metasploit with 
a database that you couldn't do without one? Below is a list 
of new Metasploit Database Backend Commands taken di- 
rectly from the Metasploit console. The commands are pretty 
much self-explanatory, but it should be noted that db_ import 
allows you to import nmap scans done outside of Metasploit. 
This comes in handy when you are working with others on a 
pen test and you want to centrally manage your pen test da- 
ta. AS mentioned earlier, workspace helps you manage your 
pen tests by allowing you to store them in separate areas of 
the database. A great reference guide for Metasploit can be 
found at Offensive Security's website: htto:/www.offensive- 
security.com/metasploit-unleashed/Main_Page. 


Nmap 


Nmap is an open source network discovery and security 
auditing tool. You can run nmap within Metasploit, but it 
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is good to have nmap installed so you can run nmap out- 
side of Metasploit. We will use Homebrew to install nmap. 
From the command prompt, type the following syntax: 


S brew install nmap 


Visit the Nmap website for the Nmap reference guide: 
http://nmap.org/book/man.html. 


SQLmap 

SQLmap is a penetration testing tool that detects SQL in- 
jection flaws and automates SQL injection. From the com- 
mand prompt, type the following syntax: 


S$ git clone https://github.com/sglmapproject/sqlmap.git 
sqlmap-dev 


Burp Suite 
Burp Suite is a set of web security testing tools, including 
Burp Proxy. To install Burp Suite, download it from: http:// 
www. portswigger.net/burp/download.html. 

To run Burp, type the following syntax from the com- 
mand prompt: 


S java -jar -Xmx1024m burpsuite v1.4.01.jar 


For more information on using Burp, go to the Burp Suite 
website: http://www. portswigger.net/burp/help/. 


Nessus 

Nessus is a commercial vulnerability scanner and it can 
be downloaded from the Tenable Network website: http:// 
www.tenable.com/products/nessus/nessus-download- 
agreement. 

Download the file Nessus-5.x.x.dmg.gz, and then dou- 
ble click on it to unzip it. Double click on the Nessus- 
5.x.x.dmg file, which will mount the disk image and make 
it appear under “Devices” in “Finder”. Once the volume 
“Nessus 5” appears in “Finder”, double click on the file 
Nessus 5. 

The Nessus installer is GUI based like other Mac OS 
X applications, so there are no special instructions to 
document. The Nessus 5.0 Installation and Configura- 
tion Guide as well as the Nessus 5.0 User Guide can be 
downloaded from the documentation section of the Ten- 
able Network website: http:/www.tenable.com/products/ 
nessus/documentation. 


SSLScan 
SSLScan queries SSL services, such as HTTPS, in order 
to determine the ciphers that are supported. 
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To install sslscan, type the following syntax at the com- 
mand prompt: 


S brew install sslscan 


Wireshark 

Wireshark is a packet analyzer and can be useful in pen 
tests. Wireshark DMG package can be downloaded from 
the Wireshark website: http:/vww.wireshark.org/down- 
load.html. Once the file is downloaded, double click to in- 
stall Wireshark. 


TCPDUMP 

TCPDUMP is a command line packet analyzer that is pre- 
installed on Mac OS X. For more information consult the 
man page for tcpdump by typing the following syntax at 
the command prompt: 


S man tcpdump 


Netcat 

Netcat is a multipurpose network utility that is preinstalled 
on Mac OS X. Netcat can be used for port redirection, 
tunneling, and port scanning to name just a few of the ca- 
pabilities of Netcat. Netcat is used a lot for reverse shells. 
For more information on Netcat, type the following syntax 
at the command prompt: 


S man ne 


Conclusion 

By following the instructions in this article, you will have a 
fully functional set of hacking tools installed on your Mac 
and you will be able to run them natively without having to 
start a virtual machine or deal with the added administra- 
tive overhead that comes with running a virtual machine. 
You will also not have to share resources with a virtual 
machine. | hope you found this article useful and | hope 
you enjoy setting up your Mac OS X hacker toolbox as 
much as | did. With Macs increasing in popularity, | can 
only imagine that they will become more widely used in 
pen testing. 


PHILLIP WYLIE 


Phillip Wylie is a security consultant specializing 





_ in penetration testing, network vulnerability as- 
_ sessments and application vulnerability assess- 
bes -ments. Phillip has over 8 years of experience in in- 
formation security and 7 years of system admin- 
istration experience. 
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The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 





@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN | GET CERTIFIED? 


We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.6sdcertification.org//register/payment 


@ WHERE CAN | GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcg-id 
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Techniques 


Basic Unix Queuing 


It occasionally happens that our incoming or outgoing data 
cannot be processed as it is generated or, for some reason, 
we choose to process it at a later time. 


typical example might be a client-server system, 
Aiies it is necessary to queue the socket descrip- 

tors of incoming connections because of some lim- 
it on the number of active processes, or a message hub, 
which accepts data synchronously, but must rely on other 
processes to remove the data asynchronously. Apart from 
the numerous commercially-available third party imple- 
mentations of queuing systems, Unix has two highly ef- 
ficient queuing mechanisms, which can be used for ex- 
tremely low overhead systems of queues. 


Kernel mode queues 

The kernel uses queues internally for the implementa- 
tion of functions such as device drivers, and the system 
call interface to this mechanism is available for the im- 
plementation of application programs. The queues so 
produced are implemented in memory, so they are very 
fast. However, because there is no permanent storage 
of the data, these queues are also non-persistent. This 
means that if the process or the machine crashes, all of 
the queued data will be lost, and all incoming data will 
never be enqueued. 


User mode queues 

In this section, we will concentrate on disk-based user 
mode queues. The kernel mode queuing system, which 
will be covered in an upcoming Advanced Queuing Article, 
is a bit limited, and it is sometimes more convenient to use 
the user mode queue library functions which offer a little 
more functionality, namely: 
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¢ Notification of message arrival, by sending a signal to 
the monitoring process. 
¢ Prioritization of messages 


There are only four fundamental commands to remember: 


* mq _open() — Opens an existing queue, or creates a 
new queue 

* mq send() — enqueues a message 

* mq _receive() — dequeues a message 

* mq notify() — notifies a process of the arrival of a 
message 


The remaining five commands perform housekeeping tasks: 
* mq_close() — closes a queue 

* mq unlink() — deletes a queue from the disk 

* mq getattr() — interrogates a queue's characteristics 


* mq _setattr() — sets a queue’s Characteristics 


A single structure definition is used to set and get the 
queue’s attributes, and is defined as: 


SLruCt Ne sarc 4 


long mq flags /* message queue flags */ 
long mq maxmsg /* maximum number of messages */ 
long mq msgsize /* maximum message size */ 
long mq curmsgs /* number of messages currently 


queued */ 
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The mq series of commands all relate to disk based 
queues. The queues themselves are created in the /tmp 
directory and are always referred to in the commands, 
as if they were situated below the root directory. 


Thus to create a queue called ‘Zq’, we would call mq_ 


open (), like this: 


Int qd; 


SErUCE MG attr acr; 


atr.mq maxmsg = 100; 


alr .smqG MSgsize = 2957 


if((qd = mq _open(“/zq”, O RDWR|O CREAT, 0755, &atr)) 
== (mod t)—1){ 


perror (“mq open”); 


Notice the similarity between the above syntax, and that 
of the open() Command, for a file. The returned value 
is the queue descriptor, while the flags are exactly the 
same, as defined in fcntl.h for those relating to a file. The 
pointer to the ‘atr’ structure permits the setting of the 
maximum number of messages, and the maximum mes- 
sage size, prior to calling mq_ open. 

Enqueuing a message is analogous to a write() ona file: 


char *msg = “xyz”; 


int priority = 5; 


if(mg send(qd, msg, strblen(msg), priority). == =1){ 


perror (“mq _ send”); 


The extra parameter, ‘priority’ determines the order that 
the message will be removed from the queue when it is 
dequeued, with ‘1° being the highest priority. 

The dequeuing is performed by mq receive (): 


unsigned char data[8192]; 
int priority; 
int n; 

If{ (mi = mg receive(qd, (Char *)data; sizect (data), 
&priority)) > 0){ 

Printf (“Received %d byte message >%s< with %d 
priority\n”, n, data, priority); 


} 


Messages are taken off the queue in order of their prior- 
ity, which is returned by mq_ receive(), into the variable 
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passed to it. The return value of the function is the num- 
ber of bytes in the message. In normal operation, this 
function would be called in a ‘while’ loop and the queue 
length would be checked at each iteration of the loop. 
The checking is done with the mq_ getattr() function, 
called with the queue descriptor, and the atr structure, 
defined above: 


LE(mG Uetaler (ad, satr). == -0)4 
if(atr.mq_curmsgs == 0) { 
printf (“No more messages\n”) ; 


mq close (qd) ; 


The following code extract puts this all together: 
while ((rval = mq _receive(qd, (char *)data, 
sizeof(data), &priority)) > 0){ 
printf (“Client received: >%s< priority %d\n”, 
data, DELOri cy); 
memset (data, ‘\0’, sizeof (data)); 
LE(mg.-Getattr (qd, tatr). == 0)4 
LE (ate. mg Curmsgs: == 0) | 
printf (“No more messages\n”) ; 
mq close (qd) ; 


break; 


We now have all the information we need to write a test 
program that exercises all of these queuing functions. In- 
stead of attempting to re-create MQ Series from scratch 
(which we will leave for the ‘Advanced Queues’ article), 
this program merely does the following: 


¢ Create a queue, whose descriptor is ‘qd’. 

¢ Launch a child process, chiid() which asks to be no- 
tified of the arrival of a message 

¢ Enqueue 4 messages, in ascending order of priority. 

¢ The child pulls the messages off the queue, in 
the order that they arrived, i.e, in order of priority. 
It then quits. 

¢ Launch another child process, client (), which merely 
performs a blocking read of the queue. 

¢ Enqueue 4 more messages, in descending order 
of priority 

¢ The child, again, pulls the messages off, in order of 
priority, which means the reverse of the order of their 
arrival. It does not quit. 
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Listing 1. Server and Client Code 


#include <mqueue.h> 
#include <sys/stream.h> 
#include <sys/ddi.h> 


Vold Incerrupe (ant) 


;  aneer rope hance —~/ 


Sr eWee sine are scie, 





char *msgl “Mary had a little lamb\n”; 

chau msqz “She also had a duck\n”; 

Cia Medes “She put them on the mantelpiece\n”; 
char *msg4 “EO see if they would fall \n’; 

Chan “msds “Mary had a little lamb\n”; 

char *msg6 Vi ior rinmancererolmelkic: vine: 

Chan “meg! She VEhrew Vie Ups Ineo rie aan n> 
ehar msde NAmGd Caugne: Pe by ts. acl mi’ 

mqd t qd; 

main () /* main */ 


chat dabalz05); 

Unsigned Int Prvoni ey; 

int £vel; 

[eee incl, 

SHEIWG © WG) eleiGle 2<eneiey 
Signal (SIGURG, interrupt) ; 


atn. mq maxmsg — 100; 


ate Mises 326e— 2 oor 


1f((qd — mq open (“/zq”, O_RDWR|O CREAT, 017/55, Satr)) 

Sag en LCs) 
perror (“mq open”); 

} 

pid = ‘chidaied) >: 

oy) 


/* this asks to get notified 


sleep (1); /* give the child time to stabilise 


yh 


/* queue ordering is by priority, not time of 
ariavade <7 


iE (le; Steve aeiel, NSE siens hSiol (SIG, Sy) SL) 


Perron ("me vend”); 

} 

ge (me Seicl(Gcl, mses sie Leia (mete s,s, 
Perron ( M¢esena \7 

} 

rae (ney Stemyel vol, mise 2 ies eta (ilsig4)) 7) ==) | 
Peaeom (man sene: 7; 

} 

Be (Vera Se tTaN el) (Chelly eMC) iy ecco tap eae SIs) oe) ne 


Pee rom (Nese. ja, 


sleep(1); /* give the child time to exit */ 

pid —sclwent |) 0/7 blocking, bum no motiiication, ~/ 

/* these must arrive after the queue empties, or the 

Child won’ = exit */ 

me (mle, Semele, mses sieelein(unecs)), 2) == =i) | 
Peuaron ( MeeseiG: ) 7 

} 

Ae (1G) es NCI Cele we NNese) Oy, wmcus tate Taig S/O), ee) eee ee) 
Perron (Mme esend )7 

} 

ae Se Wels Clee UIS ers ieeeaee a MIS) ime) aad 
Peuror ( Medmsenea: ); 

} 

TE ime gsend(qdysmege, stelen(msgs) 7 1) —— 1) 4 


DSi coug (ng, Semel”) 2 


} /* main */ 


[KKK KK KK IK IK KK I KK IK KK IK IK KK KK IK KK KK KK 


Simple blocking read loop, which checks the queue length 
at each 


pass, and exits when it’s empty. 


KA KKK IK I KK IK I KK EK I KK KK IK KK KK KK KK / 


Guleie tien) eee eae, 


joel je jeukely 
Clay Caecie.1 1l, 
Unsigned 1b priori iy, 


Lie ate Viale 


switch((pid = fork())) { 


case -l: 
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break; 
case 0: 
printf (“Client collecting messages from 
CGUSWeH ee. me ie 
/ sth sawi ii blocksuntai the mrs tams¢ 
arrives 4 /, 
eG acl ee aicCEpacee =e cd mm Cliata a) Cathar 
Sizeort (data), Gorioruey) ) 2.0) 4 
printf (“Client received: >%s< priority 
cd, date, promt) 
memset (data, *\0’, sizeof(data)); 
Ie Vimo Giereeneicse (Ciel Gace ie) 1!) | 
Pear Me ecU misc se —— el 
printf (“No more messages\n”) ; 
Meme lose (echr, 
break; 
} 
} else { 
PoE Rom McG er aieieia as, 


break; 


} 
Peinee (Done me), 
Tela Cael ienea  cy ae, 
exit(0); 

beac; 

detaule: 
return (pid) ; 


break; 


} sell alvane 7 / 


[KKK KR KK KK IK IK KK KKK IK KK KK KK IK KK KK KK KK KK IK KK 


The child asks £o be nNOLited of the arrival of a 
message, by 

means of SIGURG, for which we’ve defined a handler. The 
cha ld 

then calls pause(), and waits for an interrupt. Inside 
the 

interrupt handler, it performs blocking reads on the 
queue, 

checking its length each time. When the queue is empty, 
ade 

returne, sand alls Me notimy agar, to tum ort 
MOL Mie seo 


* and permit the client routine to access the queue. 


KK KK KK IK I KK KK IK KK IK IK KK KK KK KK KK / 





child (qqd) /* child */ 


mgd t qqd; 


struct sigevent ev; 


(udmemps cl), 


Switch ( (pad = fork()))4 
Case —1% 
break; 
case 0: 
printf (“Child collecting messages from 
GUueWe nes. yi ye 
Cvs tgoy Nou ln y= — joinery SEN, 
SW Sie SUC = SEWING, 


ee (IG) ALOE mya eleyel, ac.) <0) 
Pewee (ic MiOtsney) ie 
} 
pause (); 
aE (MeemoOriny (eee NUM) 0) 4 
Siareove | Miley Oe Lis) 
} 
exirti0)-> 
bEeale, 
Cera e 
BEL Un m (oid) 


break; 


} Je ohne + / 


[KK KK KK KK RK IK KK KK KK IK IK KK KK KK I KK KK KK KK KK KK KK KK KK 


Interrupt handler 

We’re only interested in SIGURG, for which we’ve been 
waiting 

in pause().We perform our dequeuing function in this 
handler, 

tO Save Ourselves a function call, so 1: 1s) Important 
that the 

queue variables be visible globally. 

Lie WMG ereceive Loop per rors weade tie qicue, ecneeking 
ies 

length each time. When the queue is empty, we return. 


KA KK I KK IK I KK KK IK I KK IK I KK KK IK KK KK KK KK / 





www.bsdmag.org 


BSD :; 


MAGAZINE 





SECURITY 








VO 1d! 
interrupt (what) (i Tate rrupi ty 


ince Wiese 


Characeatal2 57 
Unsigned il prLorLty; 


ALT see les 


Printt (“Received Signal <ds..\n~, what) > 


Switch (what) { 
Case SINGUING = 
Wile (i ciel —siNcueee emer Clue Clictaus cla tear, 
SiZzeob (dara), spr oritey) ) 2 0) 4 
Primer ( Child received: 258< priority 
oc) delta, (Olio t diy): 
memset (data, ‘\0’, sizeof (data) ); 
LEME Seak era (cde Gaiety —— 0) 
if(atr.mq_ curmsgs == 0) { 
printf(“No more 
messages\n”) ; 
break; 
} 
} else { 
Petr rorl ng wierarre ); 


break; 


break; 


} 7S ikigie ce atatoieme 7, 
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The notification mechanism uses a software interrupt 
defined by means of the sigevent structure. To do this, 
we first create the variable: 


struct sigevent ev; 


The interesting parts of this structure (defined fully in 
siginfo.h) are 


struct sigevent { 
Int. Sigev -notiry; 


Int. SLgev- signe; 


where sigev_notify has the values 


SIGEV_NONE 
SIGEV_SIGNAL 
SIGEV_THREAD 


We will choose siczv  sIcNaL, Since we want to catch an 
interrupt, with the arrival of each message on our queue. 
Later, if we need to turn off notification, we can do it by 
passing in SIGEV NONE. 

Since sigev_signo lets us choose which signal can be 
sent to us, we'll choose something safe, that isn’t used 
by other processes. SIGURG is normally sent out when 
an urgent condition exists on a socket or other I/O device 
and, in that capacity, is of no interest to us. Therefore, we 
will use SIGURG, and register it, together with our inter- 
rupt handler, in main(): 


Signal (SIGURG, interrupt); 


Then, in our chiid() function, when our child process is 
running, we define the kind of event we need, and the 
signal number that we're expecting, as follows: 


ev.sigev_ notify = SIGEV_ SIGNAL; 
ev.sigev_signo = SIGURG; 


Immediately after these lines, we call pause(), which puts 
the process into a catatonic state, waiting for the arrival 
of an interrupt. 

In reality, the server and client code would probably be 
in separate files, and run in unrelated processes. Since 
this is merely an exercise, all of the code is in one file, 
as follows. 


MARK SITKOWSKI 
Mark Sitkowski C.Eng, M.I.E.£ Consultant to Forticom Security 
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With Hyper, ISPs can save on network bandwidth while increasing 
content-delivery speeds, resulting in end-customer satisfaction. 
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- Automatic updates 
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How Secure can Secure 





Shell (SSH) be? 


(OpenSSH VPN tunnelling) 


This article is the third part of the series on OpenSSH and 
configurations and includes tricks which make using the 
protocol more secure. This article concentrates on Virtual 
Private Networks supported by OpenSSH. 


What you will learn... 
- How to configure VPN using OpenSSH. 
¢ Good basics to make something new and secure on your own. 


and apps to enable a (virtual) tunnel inside the 

network. In this case, the network means layer 
2 and layer 3 of the OSI (Open System Interconnection) 
model but we are focusing on layer 3, VPN tunnel. Ad- 
mittedly, the OpenSSH supports layer 2 tunnelling, but 
for ease of use and understanding, this article will focus 
on layer 3 tunnelling. 

Please look at the depicted Figure 1. There is a scheme 
of the small network configuration where our OpenSSH 
tunnel is through the Internet. It means that two separat- 
ed private networks are connected directly via Internet 
and packets are routed to the appropriate network to the 
other side. The goal is to ensure secure traffic between 
10.0.0.0/24 and 172.16.0.0/24 networks. VPNs can pro- 
vide protection in unsecure networks as well. 

OpenSSH is very configurable and we can use it inde- 
pendently of existing SSH configuration in order not to 
disturb a terminal access client/server model (further ex- 
planation is in article 1 of the series — issue 11/2013 of 
BSD Magazine). Whole traffic between these networks 
is aS secure aS OpenSSH protocol is secure. There- 
fore, encryption is enabled and no one can easily under- 
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What you should know... 

¢ Unix/Linux commands and SHELL environments. 

« The basics of TCP/IP, routing, and VPN issues. 

¢ Basic configuration of SSH (1st and 2nd parts of the article series) 
« Understanding of security necessities. 


stand what we send through the Internet. Be informed,the 
OpenSSH team quotation from man ssh advises: Since 
an SSH-based setup entails a fair amount of overhead, it 
may be more suited to temporary setups, such as for wire- 
less VPNs. More permanent VPNs are better provided by 
tools such as ipsecctl(8) and isakmpd(8). So, we can use 
it for small traffic but a large amount of bandwidth. 









Internet 


1.1.1.1 (server internal IP) 2.2.2.2 (server internal IP) 







(server internal IP) server internal IP) 


( 





192.168.0.1 192.168.0.2 


10.0.0.0/24 (LAN1) 172.16.0.0/24 (LAN2) 


Figure 1. Network schema of VPN tunnelling 
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IP SETTINGS CONFIGURATION 

First, we have to create virtual interfaces for temporary 
use and potentially for future use. Both interfaces should 
be made up on the server and client side. To do it for 
temporary use (until first system reboot or /etc/netstart 
command release) type the following commands: 


server# ifconfig tun0O create 

server# ifconfig tun0 192.168.0.1 192.168.0.2 netmask 
255.255.255.252 

The results should be similar to Listing 1. 

Secondly, we should be sure the forwarding is enabled 
on both sides. To check it, run the command shown below. 
server# sysctl | grep ip.forwarding 
Output (required): 
net.inet.ip.forwarding=1 


If the result is equal to 0, then run the following command. 


server# sysctl net.inet.ip.forwarding=1 





Listing 1. Output of ifconfig tun0 pseudo-device interface on the 
server side 


server# ifconfig tun0 
Lunes ags=l1<UP, POINTOPOINT] mea 1500 
DE VOmi ye 0 
Groups. scum 
Sears. down 
imei PIZ Gs 0. ==> TI 16s Ue 2 mermeasic 
Ox frit rire 


Listing 2. Output of ifconfig tun0 pseudo-device interface on the 
client side 


server# ifconfig tun0 
LUMO: deags=ll<UP, POINTOPOINT> meu 1500 
joueab@ucuk ey 18) 
GROUPS. Teun) 
Seats. enn 
mere hO2. NGS 082 5 -—> 1o2 Ge. Oo nermas 
Uxtitrrrire 
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Output: 


net.inet.ip.forwarding: 0 -> 1 

To set it permanently add _ the line 

ip.forwarding=1 Into the /etc/sysctl.conf file. 
For the client side, check whether forwarding is en- 

abled and then create the pseudo-device interface tun0. 

The command sequence is as follows; results of the com- 

mands are shown in Listing 2: 


net.inet. 


client# ifconfig tun0O create 
client# ifconfig tun0 192.168.0.2 192.168.0.1 netmask 
DIOGO 620 oa 202 


Thirdly, for future use of pseudo-device at start up after 
reboot or similar, create the following file at OpenBSD or 
modify specified file at FreeBSD. 


OpenBSD (on server and client side) 


server# echo “192.168.0.1 192.168.0.2 netmask 
2595:=255;255.252" > f/evo/hostname.tund 

client# echo “192.168.0.2 192.168.0.1 netmask 
255.255.255.252” > /etc/hostname.tun0 


FreeBSD (on server and client side) 


server# echo “ifconfig tunQ="inet 192.168.0.1 192.168.0.2 
hetmask 255.299.259.252") So 7SUe/ LC.Cone 

Glishty echo. “itcontg: tondv="inet 192.16¢.0.1 192.16¢.0.2 
heemask 255.255.255.252" >> (ece/ PC .cone 


Last but not least, set up the appropriate routing table for 
both server and client. Let’s look at Figure 1 again to under- 
stand better what we should do and along with the packets’ 
destination. For temporary use commands are as follows: 


OpenBSD (on server and client side) 


server# route add 172.16.0.0/24 192.168.0.2 
client# route add 10.0.0.0/24 192.168.0.1 


FreeBSD (on server and client side) 


server# route add -net 172.16.0.0/24 192.168.0.2 
client# route add -net 10.0.0.0/24 192.168.0.1 


To set the permanent routing entries (static routes) after 
reboot etc., modify your configuration files with the fol- 
lowing commands: 
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OpenBSD (on server and client side) 


server? echo “lrowte add 172.16.0.0/24 192.168.0.2 > /dev/ 
null 2>e1"” >> Jetc/hostname.tund 
client# echo “!route add 10.0.0.0/24 192.168.0.1 > /dev/ 


null 2>61”" S> /éetc/hostname: tund 
FreeBSD (on server and client side) 


server# echo ‘static routes="vpnl”’ >> /etc/re.cont 

server# echo ‘route vpnl="-net 172.16.0.0/24 192.168.0.2”' 
o> fetc/Lescont 

client# echo ‘static routes="vpnl”’ >> /etc/rc.conf 

client# echo ‘route vpni="-net 10.0.0.0/24 192.168.0.1”' 


>> (/Sce/rTre.cont 


This is the end of the discussion on IP settings for VPN 
tunnelling, so let’s begin to prepare OpenSSH server 
and then SSH client to negotiate and start tunnelling. 


Openssh: Server And Client Configuration 

This section of the article focuses on configuration of the 
SSH server and client, which is the same for both Open- 
BSD and FreeBSD operating systems. Let’s assume that 
we use OpenSSH as a server for a terminal use, a file 
transfer or even another VPN tunnelling connection as 
well as an all-in-one. 

It's good to know that we can use a separate sshd 
process started with a specific defined configuration file 
and use a different server port. For example, we use 
standard SSH port 22 for terminal connections and we 
can use non-standard 2468 port for VPN connections. 
The configuration file mentioned above can be different 
as well, so we can forget about any existing SSH con- 
nections, configuration etc. and start to use it only for 
VPN tunnelling. 


Server 
The first step is to copy the existing configuration file 
sshd_config to the new file: 


server# cp /etc/sshd conig /etc/sshd_ config vpn 


After that we need to change some options and values, 
so edit the new file sshd_ config _ vpn and add/change 
the following lines. 

You should be familiar with these options, described 
in the 1% in the series (issue 11/2013 of BSD Magazine). 
There are two new options PermitTunnel and Allow Icp- 
Forwarding responsible for enabling tunnelling and for- 
warding packets relatively. 
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PermitTunnel point-to-point 
Port 2468 

ListenAddress 1.1.1.1 
AllowUsers root 

PermitRootLogin yes 
AuthenticationMethods publickey 
AllowTcpForwarding yes 


On the server side we generate the new private/pub- 
lic key, which we will use to start securing SSH connec- 
tions. That is the same step described in the 1* article as 
well. The command generating these keys is as follows 
(Please leave the passphrase empty to prevent continu- 
ously being asked for that during every VPN connection): 


server# ssh-keygen -b 4096 


As described in the 1* article, copy a public key file to au- 
thorized_ keys file and private file into the client file system. 


Client 
The next step is to copy existing configuration file ssh_ 
config to the new file: 


server# cp /etc/ssh conig /etc/ssh_ config vpn 


We need to change a couple of options and values as 
well. Edit the file ssh_config_ vpn and add/modify the fol- 
lowing lines. 


Port 2468 

Protocol 2 

Tunnel point-to-point 

PasswordAuthentication no 

AddressFamily inet 

IdentityFile /my own path to ssh/private key 


TunnelDevice 0:0 


Some explanation is needed for the TunnelDevice op- 
tion. This option is asking for what pseudo-device inter- 
face number should be used for both sides. 0:0 means 
for tunO. 

After that we are ready to run our OpenSSH VPN tun- 
nel. Let’s run the following command from the client. 


client# ssh -v -F /etc/ssh/ssh_config vpn -1 root 1.1.1.1 true 
To troubleshoot connection problems it is good to set -v 
option in order to output more debug data during cre- 


ation of the VPN connection. A successful setting of 
VPN tunnelling is shown on Listing 3. 
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How Secure can Secure Shell (SSH) be? 


lf everything works great, we can do some hardening: 
running VPN at start up and prevent to login as any user, 
especially root to terminal on the other side, just allow only 
to create VPN. 

To run the VPN tunnel after reboot, etc., we should do 
as follows (commands for OpenBSD and FreeBSD): 


OpenBSD (on the client side) 


client# echo “/usr/bin/ssh -F /etc/ssh/ssh_ config vpn -l 


footw Lelelek true” SS Jate/ re, local 
FreeBSD (on the client side) 


client# echo “#!/bin/sh” >> /usr/local/etc/rc.d/vpn.sh 

client# echo “. /etc/rce.subr” >> /usr/local/etc/re.d/vpn.sh 

client# echo “revar=sshvpn enable” 

client# echo ‘command="/usr/bin/ssh -F /etc/ssh/ssh_config_ 
vpn =L root 1.1.1.1 true”’ >> /usr/ local/etc/rc.d/vpn.sh 

client# chmod 550 /usr/local/etc/rc.d/vpn.sh 


client# echo ‘sshvpn enable="YES”’ >> /etc/rce.conf 


The last thing is to use SSH connection for VPN tunnel- 
ling only. To do that we have to change the following line 
on the server side in the file sshd_ config. 


PermitRootLogin forced-commands-only 
And on the client side add/modify the following line at the 
file ssh_config_vpn. 


tunnel="1",command="sh /etc/netstart tun0” ssh-rsa 


CONCLUSIONS 

Virtual Private Networks are good solutions to provide 
secure and low cost internal traffic between branches. 
OpenSSH is one of the many such worthwhile methods 
for using VPN tunnels but not the best. You can use it 
for small networks with low traffic between sites. You can 





Listing 3. Successful setting of VPN connection, data from the 
server side 


tun? tags=51-<UP, POINTOPOINT, RUNNING? meu 1500 
DEVOriEy: 0 
Groups. Eun 
SEAGUS @ acl ve 
mcrelIo; hoon to Oe nr nermasl 
Ooi ei aye 
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References (order of relevance): 

¢ man sshd_config (server side configuration file) 
¢ man ssh_config (client side configuration file) 

¢ man sshd (server side binary file) 

« manssh (client side binary file) 

¢ www.openssh.org 











use it aS a secure gateway to enable new traces as well 
for security purposes only. OpenSSH is very flexible so 
i's good to concatenate SSH terminal connections with 
VPN tunnelling to improve your security access into the 
system. You can try to make up the fake traffic as circum- 
stances for threats and thus decrease your system’s vul- 
nerabilities. 

This part is the last about strictly securing OpenSSH. The 
last one will explain why OpenSSH used for SFTP (SSH 
File Transfer Protocol) is better than FTP or even FIPS. 

In the next series you will find out more about: SFTP 
— known as SSH File Transfer Protocol to opposite of a 
standard FTP. 
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Shared Memory 





A shared memory segment is a section of RAM, whose 
address is known to more than one process. The processes 
to which this address is known, have either read only, or 
read/write permission to the memory segment, whose 
access rights are set in the manner used by chmod. 


ost machines dedicated to manipulation of large 
\/ databases are not short of RAM, and figures of 3 
to 5 GB are fairly common. Where two process- 
es coexist on the one machine, communication of data 
through the mechanism of shared memory becomes an 


attractive proposition. 
Among the advantages of a shared memory system are: 


¢ Memory-to-memory data transfers are inherently fast, 
and there are never any connection problems, as can 
occasionally occur with TCP/IP. 

¢ The total amount of memory used by a TCPIIP cli- 
ent server system, in the worst case, is double the 
amount necessary to store the data. First, the cli- 
ent has to extract the data, and store it in local da- 
ta structures, like arrays of structures, or linked 
lists and, then, the server has to allocate the same 
amount of memory, to receive the same data. Memo- 
ry is returned only when the client terminates. 


The drawbacks include: 


¢ The amount of free RAM must always be adequate to 
cater to the maximum which may be required. 
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¢ Ifa process terminates unexpectedly without first de- 
leting its shared memory segment, that segment re- 
mains unusable. If the segment is of significant size, 
this could have an adverse effect on the performance 
of the machine. 

¢ The parent/child interaction, at the beginning of the 
operation is slightly more complicated. The child 
needs to communicate the address of the shared 
memory segment, which it has allocated for the data 
it is about to send back to the parent. In order for this 
to be possible, the parent must, first, establish a small 
piece of shared memory, where the child can place 
this address. 

¢ The timing of connections and disconnections is not 
event-driven. 


Shared Memory Commands 

Ashared memory segment is requested with the shmget() 
system call, which has the synopsis: 

Int. shmget (key t key; size t. sizé, int. shmilg) ; 

The return value is the shared memory identifier, an in- 


teger value, which is used in subsequent manipulations. 
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On some versions of Unix, the ‘key’ parameter can be 
synthesized by calling a special function, but for most 
purposes and certainly for ours, the symbolic value 
IPC_PRIVATE, which is #defined as zero, will be exclu- 
sively used. 

The variable ‘size’ is merely the memory segment size 
in bytes while the ‘shmflag parameter is the logical OR of 
one or more of the following: 


IPC CREAT — create segment if key doesn't exist 

Ipc Exc. — fail if key already exists 

IPC _Nowart — flag error if we must wait for the segment 

SHM R—make segment readable 

SHM w— make segment writeable 

SHM_ RND — attach on page boundary 

SHM RDONLY — attach as read-only. If this is omitted, the 
default is read/write. 

SHM SHARE MMU — Share virtual memory among pro- 
cesses which share this segment. This may be use- 
ful, if there is a danger of one or more of such pro- 
cesses being swapped out. 

SHM PAGEABLE — As above, but the memory may be dy- 
namically resized within the size allocated. 


Typically, we would make the call as follows: 
#include <shm.h> 
int. shmid; 


size t size = 10000000; 


if((shmid = shmget (IPC PRIVATE, size, IPC CREAT | SHM_ 
PAGEABLE | 


SHM R | SHM W)) <= 0){ 


perror(“Error obtaining shared memory”); 


Having acquired our shared memory, we now have 
to attach it to the data segment of our process. This is 
achieved by using the shmat() system call. 


void *shmat(int shmid, const void *shmaddr, int shmflg) ; 


The return value is a pointer to the start address of the 
attached memory segment. It is declared (void *) for the 
same reason as that of malloc(). It is the responsibility of 
the user to cast this to the datatype for which the memo- 
ry will be used. 

The ‘shmid’ parameter is that returned from the shmget call, 
above, while shmaddr has the following common options: 


¢ shmaddr = 0 the segment is attached to the first avail- 
able suitably aligned address. 

¢ shmaddr != 0 AND shmflag is either SHM_SHARE __ 
MMU (which means the kernel will share its unpage- 
able memory resources) or SHM_PAGEABLE (mem- 
ory is pageable), the segment is attached to the first 
suitably aligned address at shmaddr. This is the most 
commonly used value, and one we shall use. 


The shmflag argument can have most of the values 
passed to shmget(): 


SHM R | SHM W | SHM RDONLY | SHM RND | SHM SHARE MMU | 
SHM_ PAGEABLE 


We will uSe shmat() as follows: 








Listing 1.A structure of type struct shmid_ds, which may be used to obtain information about the memory segment 
SULUCy shin dads 4 
StLUCE, IPE Perm cum pean; / Semmes FOney Seruc ine / 
size t shm_segsz; /* size of segment I(bytes) */ 
struct anon map *shm amp; / Seon ewanonmmaymoorm eons |. 
USO tae shm lkent; psn e Oi eis ie 1S oeuling, More ech ~~ / 
pid at Stamp Ioan; 7 Spice of Waist -climop 7 
pidge Shimpepidy /< oid Of Cucator */ 
SISMENEIE Ie SDMpMeinee hy /  Wsccd only Or soliton, 
ulong_ t Slaiil CMaeie eels; j* wisiscl emily wore (slammiaice ~/ 
time t shm_ atime; )* Nast sshmar time ~/ 
Mes Slim Chie sms): ) leas eae Miele mea Moan 
ieee shm ctime; ) NasiemeianGoe aime 9 
i, 
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Listing 2. The code for child processes 


/* the shmid of the token memory being passed to the 
Childe, 
iii aes Mitesh, 


/* an array for storing pointers to all the tokens, 
passed to all child processes */ 


Unsigned char chptr[NCHILDREN] ; 


Verven (chal Cursor cOLNSb EIN, ie whilehmcU Es On) 


ie 
* token memory, so for child to write its ID and 
shmid 
ae 


token = sizeof(unsigned char) * 200; 


/* 

Schmid ts  tenclobaly co .l can be Vewed by the 
chulid’ process, 

‘Tend dteaened, 

ty 


ioe (AGS lamnael Ss = singe (sey eC INI RIN a, eoileiai, IC 


CREAT | 0666)) <= 0) { 


perror(“Server: Error obtaining shared memory”); 


rekurn (=) 


pe 

* shmat returns a pointer to the segment defined by 
shmid 

xy, 
ie ((chpemlimove hs (Uisigned= char.) clinam (simmons, 
Oe Slefel INIMIDY) )) = (uhians aL Ghar 


decide 7a) 
perror(“Server: Error attaching to shared 
memory”); 


return (—l)\ 3 


/* the next line cleans the memory we’re going to use */ 


MeMset (Char. iehpine | whiacin| js \0; p token). 


(/* lainen chrid process +7 


Swileen ((pid = — f£ork()))4 

Case =L: 

perror(” Fork”); 

break; 

case 0: /* “nerehaikd pEoGess 
mei 

/* connect to database, prepare cursor 

PROM CUMS Om siamo, 


* declare it, and open it 


ee 


/* attach the child to the token memory */ 


2 ( (ehpte wit ciecl ssonr|) sins Venere iiar 
jj siauielie (ssiniiekol fe 0) fetes) NEIaVAE LI) |) ==" Abi gis Ne ietevel lake ve 
po ieerle 

DerroOr( Clients Hrron aucachiung iO 
incoming shared memory”); 
xa bles. 
} 
SWIECH ( WMwelmetEso Tm) a 
case 1: 
/* run SQL query to determine 


ahcmilorsve Onur loys aoe: lo iaeicieniescl “<7/ 


/* allocate shared memory to 
holdealiy the vata. </ 


22 (shies —sshnget (ee sey Ann, 
Size, -(PCACREAT |) 0666)" <= 0)4 
Primer ( Memory allocation 
te cule Gl alae ae 
CMO el) 
} 
/* 
* now get a pointer to the 
actual memory, 
‘Case EO Ene daca uype oF 
the structure we expect to receive 
/ 
De ((Mipe, = (Strdce xyz ) 
SMe Sine sO; eouMaR ND —— (ci Buletex zc) je 
Perror(° Client: Error 
attaching to shared memory”); 


Guede), 


/  BCode  tomrereh eine er wnLo 


the Moe [| akkay of Suructukes ~/ 
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/* when all rows have been 
retrieved, write results to token */ 
Sit ine & (iekaus 37) 
cheer (winter ee cece cd, avnlel, seem, solimaci) 
break; 
case 2: 
/** Code for Second Cursor, 
which has 
~ JOPirerene «Cursor pst ring 
and data structures 
a 
break; 
case 3: (ge ele rane, 
break; 
default: 
peImtt (“Unknown cursor \m” })- 
break; 
} 


/ Code row ellose tie curagor 77 


break; 

default: /* in the parent process */ 
childrent+t+ 

break; 


Listing 3. The presence of all three signifies that the cursor in the 
child has run, and that data is available 


MoOmLEor4 } 7 MOnLtor 2 / 


int One, Ewo, three; /* dummy variables 
for testing token */ 

int flag = 0; /* termination 
tlacn cy 

int done |NCAIEDREN |; 


chaldren */ 


/* log of completed 


printf (“Server waiting for clients to connect shm 
Seqmentts sr wa jie 
Giie—Oy 


memset ((char *)done, ‘\0’, sizeof (done) ); 


while (1) { 
for(i = 2? i <= NCHILDREN; i) 4 
Pr Sscanm ela a Clon | kan oCmeoO moO, 





gone, &two, &three) == 3) { 

if(one == || two == 0 || three == Q) 
continue; 

if(done[i] == 99) continue; 


Pieinier (| Chullgs cre tummed wm, c ail). 
children——: 
done pi = oor /* Mack thas 


child as having completed */ 


/* let a thread deal with this, while we 
Continue to look */ 
Pe (Orhiteddweredwe (aha || einly asl iUialy, 


xserve, (vord > )ichorr| | )) 7! 


ae) 
printf (“Failed to create thr[%d] \ 
iy ela) 
} 
/* we don’t want to wait for the thread 
a 
a8 (ote lmetcencl voles erclay Celie acim ||) Y= i) 
Petnik ( Paled btowsuate skit scl \ 
Te pate laine 


} 
elie, 


oe 
or 


printf (“Server sd: Threads running: 


Chaldrens. 2d\n7, 


Jervowd (js. um, ec halicicem)x- 
} 


if (children == 0) { [cll our “cunmsors 
have run, so process the data */ 
flag = 1; 
break; 
} 
} 
if (flag == 1) break; 
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unsigned char *mptr; 


if((mptr = (unsigned char *)shmat(shmid, 0, SHM RND)) == 
(unsigned char *)-1 


){ 


perror(’ Error attaching to shared memory\n”); 


Unlike malloc, which returns NULL on failure, shmat re- 
turns —1, which results in the need for the clumsy cast to 
(unsigned char *), above. 

Each attached memory segment has associated with it, 
a structure of type struct shmid_ds, which may be used to 
obtain information about the segment: Listing 1. 

The shmct1() system call, is designed to load the contents 
of this structure into a local structure of the above type: 


if (shmctl(shmid2, IPC STAT, &buf) < 0) { 
printf (“Unable to get shm status\n”); 


The variable IPC_STAT signifies that this is a query. The 
variable IPC_SET allows the setting of the members of the 
ipc_perm structure, and changing the following permissions: 


shm_ perm.uid 
shm perm.gid 


shm perm.mode 


Still considering our hypothetical database access pro- 
gram, described at the beginning of this chapter, the se- 
quence of events, for creating a shared memory client- 
server system, would be: 


¢ Parent process allocates a 100-byte shared mem- 
ory segment, large enough to hold a token, with the 
child’s ID, the number of bytes, or data structures be- 
ing returned and the shared memory ID allocated and 
returned by the child 

¢ Parent forks child processes, each of which is passed 
the shared memory ID of the 100-byte token memory 
segment. 

¢ Child process accesses the database, and queries 
the number of rows which will be returned by the cur- 
sor, which it intends to run. 

¢ Child process allocates shared memory, large 
enough to hold the data, then retrieves the data from 
the database, and loads it into the memory segment. 





Listing 4. To access our data 


Onde 
Xserve (unsigned char shm) i. 


xsenye. «7 


it cumeid; 
Lite Sa 7 er 


ant as mele, 


/* extract token data */ 
SScamMmaieiak ssi, oda cde oC ececlle ela, a ze, 
&shmid_c); 
primka(“iaread 2dacurser, .ceshmude 5d 2 nl. 


Suluesercel Sell (5 ewe acl, slime ©) 


pe 
* shmat returns a pointer to the segment defined by 
S nina 
my) 
it ( (dara (cus td e— silseigued char )shnae (simatic, 
sD a cnenenme 
derchac (7 15), 





perror(“Server: Error attaching to shared 
memory”); 


Pebuecnt(voad ==) —1)\e 


/* 
* Cast pointers =O Correct data types, 
* and set no. of records 
ey 
Swiech (cults lc) 4 
case 1: 


Cte est ruekw25 ) data l enema |; 


lpt = size; 
break; 
case 2: 

j* samev bOr next Cursor 7 / 
break; 
case 3: (eer) 


break; 


FOES Cue en) 
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¢ Child process places its identifier, the number of rows 
being returned and the shared memory ID of the re- 
trieved data in the 100-byte token memory segment. 

¢ Parent reads the child’s identifier, the number of rows 
being returned and the shared memory ID. It then at- 
taches to the shared memory segment and accesses 
the data. 


Server 

This code would probably reside in the routine which 
launched child processes, and require the following global 
declarations: Listing 2. The above routine would be called 
once for every cursor and after the last call, each element 
of the array chptr[{] would contain a pointer to the shared 
memory tokens, passed to all the children. We would then 


a d V e r t 


call a monitor routine, which would scan the elements of 
the array, looking for a child identifier, a row count and a 
shmid. The presence of all three signifies that the cursor 
in the child has run, and that data is available (Listing 3). 

We send a thread to perform the housekeeping on the 
data that has just arrived, so that we can continue to 
search uninterrupted for returned children. 

In the function xserve(), we attach to the memory seg- 
ment, defined by the shmid, returned in the token. We 
store the pointer, returned by shmat (), in a global array of 
such pointers, which we will use in the subsequent data 
manipulation routines, to access our data (Listing 4). 


MARK SITKOWSKI 
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Network Information 
Using Wireshark 


Recovering 





Wireshark is a free and open-source packet analyzer. It is 

used for network troubleshooting, analysis, software and 
communications protocol development, as well as education. 
Wireshark is cross-platform, using the GTK+ widget toolkit to 
implement its user interface and pcap to capture packets, it 
runs on various Unix-like operating systems including Linux, 
OS X, BSD, Solaris, and on Microsoft Windows. 


OS X from the official website (http:/Avww.wire- 

shark.org/download.html). Most Linux systems 
come with a pre-installed Wireshark tool; however, in the 
case that Wireshark is not installed, you can just follow 
the documentation below and run the proper command 
for each operating system to get it running: Building and 
Installing Wireshark = (htto:/~vww.wireshark.org/docs/ 
wsug_html_chunked/ChapterBuildinstall.html). Wireshark 
needs to be run as the root user in your system and will 
give you a security message that you are running it as 
root, so proceed with proper caution. 


VY ou can download Wireshark for Windows or Mac 


Capture Interfaces 

We can get an overview of the available local interfaces 
by navigating on the Capture menu tab and then clicking 
the Interfaces option as shown in Figure 1. By clicking the 
Option button, Wireshark pops up the “Capture Options” 
dialog box. The table shows the settings for all available 
interfaces including a lot of information for each one and 
some checkboxes like: 
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¢ Capture on all interfaces — As Wireshark can capture 
on multiple interfaces, it is possible to choose to cap- 
ture on all available interfaces. 

¢ Capture all packets in promiscuous mode — This check- 
box allows you to specify that Wireshark should put all 
interfaces in promiscuous mode when capturing. 


By clicking the Start button, we will see a lot of packets 
start appearing in real time. Wireshark captures each 
packet sent from (Source) or to (Destination) our system. 


User Interface 

Before proceeding to analyze our traffic network we will 
explain the basic information we need to know about the 
packet list pane, the color rules, the packet details pane 
and the packet bytes pane. 


Packet List pane 

The packet list pane displays all the packets in the cur- 
rent capture file. Each line in the packet list corresponds 
to one packet in the capture file. If you select a line in this 
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pane, more details will be displayed on Packet Details and 
Packet Bytes panes. 











[ Ns Wireshark: Capture Interfaces + x) 
Device Description IP Packets Packets/s 
[| gm] etho 192.168.1.74 0 0 
[| wy wlano 192.168.1.66 5 1 
[| jj usbmont none 12 0 
|| ( usbmon2 none 10 0 
|| f usbmon3 none 186 0 
[| ™ usbmon4 none 3 i) 
[|] ie] any none 5 1 
[| kl to 127.0.0.1 0 0 











| @relp || @ Start Mstop | | @)/Options | | 9€ Close | 





























Figure 1. Wireshark Interfaces 
The default columns will show: 


¢ No. — The number of the packet in the capture file. 
This number won't change, even if a display filter is 
used. 

¢ Time — The timestamp of the packet. The presenta- 
tion format of this timestamp can be changed. 

¢ Source — The address where this packet is coming 
from. 

¢ Destination — The address where this packet is going 
to. 

¢ Protocol — The protocol name in a short (perhaps ab- 
breviated) version. 

¢ Info — Additional information about the packet con- 
tent. 


Color Rules 

A very useful mechanism available in Wireshark is packet 
colorization. There are two types of coloring rules in Wire- 
shark; temporary ones that are only used until you quit the 
program, and permanent ones that will be saved to a pref- 
erence file so that they are available on a next session. 
So let’s focus on the most important name filters. Green 
Color refers to TCP packets but black identifies corrupted 
TCP packets. Light Blue refers to UDP packets and dark 
blue on DNS traffic. For more information or to edit/add 
our own color rules, we can navigate to View menu and 
click the Coloring Rules. 


Packet Details Pane 

The packet details pane shows the current packet (se- 
lected in the “Packet List” pane) in a more detailed form. 
This pane shows the protocols and protocol fields of the 
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packet selected in the “Packet List” pane. The protocols 
and fields of the packet are displayed using a tree, which 
can be expanded and collapsed. 


No Tine Source Destinaten 


—_ a 


Pratecal Length Inko 


ede chee ith fan i ol 0 ee 
B OL297R7S000 195 751.127.2754 197. 168. 1.74 HITPs XML 1776 HITPS 1.1 FOO Ox 


WO 14. 15RE TROD 192.068. 1, 74 195.251.127.254 HTTP BE? POST findex.php HTTP 
Va V4 SGT SOO 195.251. 127 to 192. 168.1, 74 HITF 410 HTTP! 1.1 2020 See othe 
14 14.43550000 192.168.1774 195.251.127.754 HTTP 679 GET * HTTPY1.1 

20 14. 702619000 195.257.727.254 152. 168. 1.74 HTTP sxe 219 HTTP 1.1 200 OK 


* Frome 4: 633 bytes on wire (9084 bite), 633 bytes captured (3064 bits) on interface o 

» Ethernet Il, Sree: Sony_bO:d4:09 (54:59 :e0: 60:04:09), Ost: ThomsonT_Se:at 30 (OO: Tf: of: ee:af 30) 

& Internet Protecel Version a@, fre: VO2.168 1.74 (192 168. 1.%7a), Det: 195.251.1287 254d (19S. 251. 127. 250) 
e Transaission Control Protecol, Src Port: 37372 (37372), Ost Port: Attp (#0), Seq: 1, Ak: 1, Len: S67 












Figure 2. List — Details Pane 


Packet Bytes Pane 

The packet bytes pane shows the data of the current 
packet in a hexdump style. The left side shows the offset 
in the packet data, in the middle the packet data is shown 
in a hexadecimal representation and on the right the cor- 
responding ASCII characters are displayed. 


Start Capturing — Analyzing 

In this part we will start capturing once more on our net- 
work, so click from Capture menu the Start option. Next 
we will attempt to log in to an account and analyze it into 
the Wireshark tool to see if we can find important informa- 
tion. AS we can see there are a lot of packets that Wire- 
shark appears. A valuable option here is the Filter mecha- 
nism which lets us quickly edit and apply display filters. 
Let's isolate the http packets by typing http string on fil- 
ter tab. AS we can see, the packet list pane shows on- 
ly HTTP protocols. We need to locate the HTTP protocol 
and identify the response of the Host which attempted to 
log in. Looking at the highlighted results, we can deter- 
mine at the info tab that there are packages which con- 
tain the GET method. Let’s focus on this information and 
explain it. 


Note 

GET method requests a representation of the specified 
resource. Requests using GET should only retrieve data 
and should have no other effect. At the packet list pane, 
click the Hypertext Transfer Protocol. As we can see, the 
GET method appears and also a lot of important informa- 
tion such as the request version of the Server, the Host 
and the User-Agent which contains the browser version 
and the OS that the user used to login. Next we want to 
examine the full conversation between the client and the 
server by accessing the Follow TCP Stream option (right 
click on the packet and then choose Follow TCP Stream). 
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A pop-up window will appear which will contain the entire 
conversation on stream content. The red words indicate 
the request and the blue, the response of the Host. Also 
as we can notice, choosing the Follow TCP Stream op- 
tion Wireshark automatically added the property filter in 
Filter area. 


™ Fallow TCP Stream 
Stream Conbent 


GET * ATTRA. 1 
Hot : 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_b4; rv:23.0) Geckos20100101 Firefoxs273.0 
Accept: text/html, application/szhtml+sml,application/=xml:g=0.9,"/":q=0.8 
Accept Language: om-US ens geo. 5 
Accept-Encoding: grip, deflate 
Conkie: — utma= (3199679 . 1062499516 Vea Peas. PPP. 3: 
__utmz=1521926072. 127 1bF 7491.1. 1.utmesr facebook. com|utmecn=(referral) |utmemd=referral | 
} | utmect=/1 . php: gea=PO-2 76604 150-197 19 ar S0%02: 

PRPS EOE GbbbOs east oF Th Pode Opbbhvhséne fF tsul aes sky sts 

Connection: keep-alive 


HIPS 1.17 200 OR 

|| Date: Sat, OF Sep 2013 O9:35:59 GMT 

Server: Apache 

PaP: CP="HOl ADM DEY PSAi COM NAY OUR OTRo STP IND DEM" 

Set-Cookie: 26236b056396bb02ea297 bl idedéed4esdeleted: expires=Thu, 01-Jan-1970 00:00:01 
GMT; path=" 

Set-Cookie: 26238b056396bb02ea297 bl fdedbe4ec=16620b0 di 2zzafa5bosso2ofsbabieoo: path=/ 
Expires: Mon, 1 Jan 2001 00:00:00 GMT 

Last-Wodified: Sat, OF Sep 2013 09:35:59 GMT 

Cache-Control: mo-store, mo-cache, sust-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 


Ente conwersateon (E08 bytes) ¥ 
Ol Find OF save AS jam! Print ASCII EBCDIC Hex Dump CArays @ Raw 
Grelp fv") Filter Qut This Stream PE Close 


Figure 3. 7CP Stream Window 


By reviewing the highlighted code closely on Figure 
3, we can see that the index.php action has two inputs, 
the username and the password. We can identify on 
Packet List pane a POST Request method from our 
machine to the server using HTTP protocol. Selecting 
once more the Hypertext Transfer Protocol tree, we can 
verify the request and the method which was used to 
login to the Host. 

O7c0 6c 69 63 61 74 69 6f Ge FF FR Fel TF TF FT Fd 66 
O2d0 Gf 72 Gd 2d 75 72 Gc 65 «Ge G3 Gf 64 GS G4 Od Oa 
O2c0 43 6f Ge 74 65 6c 74 2d 4c 65 Ge 67 74 G8 3a 20 
O2f0 31 3d 33 Od Oa Od ee Lee 7 i {4 


0300 
0310 


lication fx-wew-f 
orm-urle ncoded.. 
Content- Length: 
Vee ee nn a 


Figure 4. Bytes Pane. 


Note 

POST method requests that the server accept the entity 
enclosed in the request as a new subordinate of the web 
resource identified by the URI. The data POSTed might 
be, for example, an annotation for existing resources; a 
message for a bulletin board, newsgroup, mailing list, or 
comment thread; a block of data that is the result of sub- 
mitting a web form to a data-handling process; or an item 
to add to a database. 


BSD 


MAGAZINE 


42 


As we Can notice on the packet details pane, there is al- 
so a new tree line named Line-based text data. By clicking 
once, we can see the POST request which contains the 
username and the password in clear text. Also checking 
the packet bytes pane we can draw the same information 
on Hex or Bit View. 


Cracking — Analyzing W-Network 
In this part of the article, we will explain how we can have 
access to our WLAN network, how to retrieve the wireless 
password and, finally, how we can use it to analyze the 
traffic packets into Wireshark. 

First we will run the following command to get a list of 
our network interfaces: 


wizard32@wizard32:~$ sudo airmon-ng 
Interface Chipset Driver 


wlan0 Unknown iwlwifi -— [phy0] 
As we can notice the only available interface is the 
wlanO adapter. To capture network traffic without be- 
ing associated with an access point, we need to set the 
wireless network adapter in monitor mode (Listing 1). 
Next run the Wireshark tool once more and navigate to 
the Capture menu and click the Interfaces option. As we 
mentioned before, monitor mode enabled on monO so on 
wireshark pop-up window select the monO as capture in- 
terface and click start (Figure 5). After starting the capture, 














Listing 1. Setting wireless network adapter in monitor mode 
wizard32@wizard32:~S sudo airmon-ng start wlan0 
Found 4 processes that could cause trouble. 
it Ta eOdunp— nC, al replay-na Or been nGqasvOps: work rng 
after 
a short period of time, you may want to kill (some of) 
them! 
PrP iveme 
1103 NetworkManager 
1121 avahi-daemon 
1125 avahi-daemon 
LZ) Weel SUjeoll ect 
Interface Chipset Driver 
wlan0 Unknown iwlwifi - [phy0] 
(monitor mode enabled on mon0) 
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we locate multiple SSID access points. By typing HTTP 
or DNS on Filter menu, Wireshark doesn’t return any re- 
sult. Looking on the packet list pane, we can search our 
access point or by locating the BSSID (basic service set 
identification) or the SSID (service set identifier). 


lass, Wireshark: Capture Interfaces $3) 


Device Description IP Packets Packets/s 





¢ BSSID is the MAC address of the wireless access 
point (WAP) generated by combining the 24 bit Or- 
ganization Unique Identifier and the manufactur- 
er’s assigned 24-bit identifier for the radio chipset in 
the WAP. 

¢ SSID is the name of a wireless local area network 
(WLAN). 


As we can notice, two new tree lines have been add- 





[| é| etho : ( i) 
@ WW mono none ed on the packet details pane. Both of them specify the 
[] f usbmont none 0 communication wireless protocol. 
[|]  usbmon2 none 0 Another way to locate our access point is to use the 
[| fj usbmon3 none 0 airdump-ng tool. 
[|  usbmon4 none 3 0 
[| gel any none 50 wizard32@wizard32:~$ sudo airodump-ng mon0 
[| gl to 127.0.0.1 0 0 Pec PWR Beacons #Data, #/s CH MB 
ENC CIPHER AUTH ESSID 
| Q@relp | | @ Start | WW Stop | és) Options | Close | QO0s11+6F:8R:4h232 =30 21 0 0 1 54 
s WEP WEP wizard32 
Figure 5. Wireshark Interfaces 
Listing 2. Retrieving WEP network key 
wizard32@wizard32:~S sudo aircrack-ng ~/Desktop/W-packets-01*.cap 
Opening /home/wizard32/Desktop/W-packets-01.cap 
Read 61960 packets. 
# BSSID feo ED Encryption 
I 00: Pie Bre sh r4h 32 9 wizard s2 WEP (21124 IVs) 
Choosing first network as target. 
Opening /home/wizard32/Desktop/W-packets-01.cap 
Attack will be restarted every 5000 captured ivs. 
Siarting PEW eattack with Zilia iys. 
Aieorack=ng? levi 
00:00:02] Tested 7 keys (got 21124 IVs) 
KB depth byte (vote) 
0 Owe AB(Z29696) #A(Z28160) 40127648) C22 7392) We(2636e)" Al (A612) 62 (25344) "AS (25344) 9B3( 25344) DB (25344) 
AC(Z50S8) S30 (2506) AG (Za0 Ge) 47 (243832) 104 (24832) CB (24537) CE (24832), 19243570) 44 (24370) 
ieee 
4 OF 27 CA ( 29440)" 12128928) /8(28160)) 81( 2/136) 60 (26368) 384126368) 93 (25856) 00(25600) 4C( 25600) Bbi 25344) 
C5 (25344) 03125088) Gai 25086), JB(25008) E4( 25086) 02( 24832) 1h (24832) 28124632) 54124837) 
eres 
KEY FOUND) | 4B: AB sPE She: 02 | 
Decrypted correctly: 100% 
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To capture data into a file using the airodump-ng tool 
once more, we must specify some additional option to 
target a specific access point. 


wizard32@wizard32:~S sudo airodump-ng -c 1 -w ~/Desktop/W- 
packets --bssid 00:11:8F:8E:4E:32 mon0 


Currently, we can use two different ways to retrieve the 
password from our network. The first one is to use a tool 
named aircrack-ng in association with the .pcap packets 
that we captured using the aiodump-ng tool or using the 
.pcap file from the Wireshark tool and performing a diction- 
ary attack to a specific access point. Let’s analyze them. 


Method: aircrack-ng 

To recover the WEP key aircrack only requires the collec- 
tion of enough data. So, in the terminal we type the fol- 
lowing command to retrieve our WEP network key: Listing 
2. AS we Can see, aircrack decrypted and correctly found 
our WEP network key. Let’s analyze how we can retrieve 
it using the dictionary attack method on .pcap Wireshark 
file (Listing 3) this time. 


-w: Identifies our wordlist file 


Note 

Some of these tools (airmon-ng) might need to be in- 
stalled, unless we are using a system which has airmon- 
ng already installed, such as BackTrack/Kali or BackBox. 


@r editor || come || gion 


Figure 6. Decryption Keys Pane 


In both cases, aircrack successfully recovered the WEP 
key. Now it’s time to apply our WEP key into Wireshark 
tool to enable decryption to locate possible sensitive infor- 
mation. Navigate to Edit menu, then click on Preferences 
option and on Protocol tree line locate the IEEE 802.11 
protocol. Next we mark the Enable decryption checkbox 
and then we click the Edit button to add our WEP key. 


The Moment of Truth (TMT) 

We are searching once more for possible http || dns pro- 
tocols. By reviewing the highlighted code closely on figure 
2 we can see multiple http requests to a specific host. To 
eliminate even more results we will create a new filter which 
will specify only those packages from the specific Host. 
So we locate the GET request and we apply the selected 





Opening /home/wizard32/Desktop/W-capture.pcap 
Attack will be restarted every 5000 captured ivs. 
Starting PiWeattack with Z2Zl09G ays. 


eveceul 

2 cy FE (27648) 4A(26624) B9(25600) EB(25600) 
8E (24832) 9A(24832) AF(24832) 
[ve 


KEY FOUND! | 4B:AB: EE ere:02 | 
Decrypted correctly: 100% 





Listing 3. Retrieving the WEP network key using the dictionary attack method 


Wizards 7dwinzeard32:~s sudo aiverack—-ng —w ~/Desktoo/mywordlase txt —b 0011: 8h: 3bc4h232 ~/Desktop/W-capture.pcap 


[00:00:02] Tested 7 keys 


KB depth byte (vote) 
il Cy wal ABBY 343 0G) 32427 204 eotZ 1643)" BO 26674 eZ (261) en Z25C00 ) 238 ( 25000) eit ZaCO0 eb ( 25544) no(2 5544) 
60(25088) DO(25088) B1(25088) D4(24832) 20(24576) 10(24320) 82(24320) 21(24064) 4A(24064) 


0D(25344) 2A(25344) 3A(25344) 46(25088) 25(24832) 7B(24832) 
Ol 24576) -Clq 2456)" Sun 24320)5 (8 (24320) 


Agrerack—ng 1. il 


(do te Z L096. DVS) 


8F (24320) BD(24320) 
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line as a filter. As before, we locate the line which con- 
tains the parameters (username/password). Notice that 
on the packet bytes pane, the Frame tab and the Decrypt- 
ed WEP data tab appear. 


Table 1. POST info request 





Key 
task: login 

username: Admin 

passwd: I3tmeln! 


Protect from Snooping 

All of the above examples show how easy it is to obtain 
sensitive data from snooping on a connection. The best 
way to prevent this is to encrypt the data that’s being sent. 
The most known encryption methods are SSL (Secure 
Sockets Layer) and TLS (Transport Layer Security). 

The Secure Socket Layer (SSL) and Transport Layer 
Security (TLS) are the most widely deployed security pro- 
tocols used today. They are essentially protocols that pro- 
vide a secure channel between two machines operating 








tier 


over the Internet or over an internal network. SSL Certifi- 
cates have a key pair: a public and a private key. These 
keys work together to establish an encrypted connection. 
The certificate also contains what is called the “subject,” 
which is the identity of the certificate/website owner. 
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Dynamic Memory 
Allocation in Unix 





It is not always possible, at compile time, to know how big 
to make all of our data structures. When we send an SQL 
query to the database, it may return twenty million rows, or 


it may return one. 


ing system to give us memory on the fly, is called 
dynamically allocated memory. This memory is 
outside of the memory allocated to the process, in an area 
known as the ‘heap’, and our doorway into it, is a pointer 
to the first byte, returned by a function called malloc(). 
When we see code containing calls to mailoc(), it may 
be difficult to see what it all means, because of the way it 
has been written, so it may be advantageous to assemble 
this code, piece by piece. 
The basic function, takes one argument, the number of 
bytes of memory required, and returns a pointer to the first 
byte of this, like this: 


7 he mechanism by which we persuade the operat- 


char *pointer; 
int size = 1000000; 


pointer = melloc(size)7 


Originally, malloc() used to return a pointer to char, since 
this pointed to one byte, as well as anything could, but 
this was too simple. These days, malloc() returns a 
pointer to ‘void’, which is exactly the same as a pointer to 
char, but the compiler won't let you use it, without a cast 
to your favorite data type. 

Therefore, if we need a character array, in the midst 
of our computation, we would need to rewrite the call, 
to say: 
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pointer = (cher *“)melloc(size); 


If malloc() fails, it returns a NULL pointer, which we are 
duty bound to check, so we code it as: 


1f((pointer = (char *)malloc(size)) == NULL) { 
printf (“Memory allocation failed\n”); 


} 


Now, it’s starting to look ugly, and can be made down- 
right hideous, by allocating an array of structures: 


struct this{ 
int one; 
int two; 
int three; 
bi 
Struct This *pointer; 
int size = 1000000; 
if((pointer = (struct this *) 
malloc(size * sizeof(struct this))) == NULL) { 
printf (“Memory allocation 
fal led\n” \4 
} 


Occasionally, it isn’t possible to know in advance, exactly 
how much memory we need. We may be collecting data 
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from several different sources, to place in one array, and 
only know how much each source will provide, when we 
access It. 

There is another function, which permits us to alter the 
amount of memory which we previously allocated with 
malloc(), called realloc(). 

The realloc() function takes a pointer to a dynamically 
allocated block of memory, and a new size value, and re- 
turns a new pointer, to the extended memory: 


char *pointer; 

int newsize = 2000000; 
temp = (char *)realloc(pointer, size); 

or, to be pedantic, 
1f((temp = (char *)realloc(pointer, size)) == NULL) { 
printf (“Memory reallocation failed\n”); 


} 


lf we need to use our original pointer, for cosmetic, or 
aesthetic reasons, to point to the new memory, we sim- 
ply reassign it: 


pointer = temp; 


Very brave programmers, who have faith in the order in 
which operations are performed, can save the cost of a 
pointer, by recycling the original pointer: 


1f( (pointer = (char *)realloc(pointer, 
Size)) == NULL) { 
printf (“Memory reallocation 
fauled\n”’): 
} 


Don't do this because, down this road lies madness, and 
a few core dumps. 

All of that was quite easy, really but, occasionally, we 
need an array of pointers to things which, themselves, are 
of variable size. For instance, we may be rifling the bank’s 
database, looking for the loan payment records of all of its 
hapless customers. We don't know, in advance, how ma- 
ny customers there will be, or how many payments they 
made. We start with the declaration of the two dimension- 
al pointer: 


char **pointer; 
Some programmers declare this kind of pointer as 
‘char *pointer[]’, since this looks like a pointer to an ar- 


ray, but it may be more intuitive to think of this as a 
pointer to a pointer. 
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Our first task, is to make the pointer to a pointer point 
to more than one pointer, In other words, we need an ar- 
ray of pointers, of the correct length. At the moment, all 
we have, is eight bytes of memory, containing garbage. 
Those eight bytes need to contain the first address, of an 
array of addresses. We do this with malloc(): 


Linked Lists 

When we are collecting data, the obvious, and simplest 
way of doing so, is to declare a structure, then declare a 
pointer to its type, and malloc an instance. As we acquire 
more data, we simply realloc our array of structures, and 
tack the data on to the end. 

For getting rows of data out of a database cursor, this 
is great, and you shouldn't consider any other approach. 
However, what happens if you want to remove the 154" 
data element from the array? Or, perhaps, insert the 154" 
element? 

What if, you are storing data from several sources, like 
the roads on a map, which you need to attach to specific 
elements of your array, like the road junctions? 

Not so simple. 

Despite the mental picture conjured up by the word ‘list’, 
a linked list can be one dimensional, two dimensional or 
multi-dimensional. Apart from the street map mentioned 
above, another well-known application is an electronic cir- 
cuit diagram, where there are components, connected by 
wires which, together, form a two-dimensional figure. Add 
to that, airline routes, railway systems, and the dynami- 
cally changing positions of pieces on a chessboard, and 
you get an idea of the usefulness of linked lists. 

The Unix file system uses a linked list to map the blocks 
allocated to all of the files on a disk. As files are added, 
deleted, increase or decrease in size, the linked list is ap- 
propriately manipulated to reflect the current position. 

Okay, so what, exactly, is a linked list? 

One of my lecturers described linked lists as ‘a hundred 
blind men, holding hands in the dark’. 

To stretch the analogy a little further, we can add that 
two of the men have a little red light attached to their 
heads, so you can see them. 

Basically, a linked list is a series of data structures, with 
a special data structure at the head, and another special 
data structure at the tail of the list. 

Let's begin with a definition of the data structure. 


struct queue { 
struct queue *fwd; 
struct queue *rev; 


char datal1l024) + 
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Ignoring the embedded data array, notice that there are 
two pointers, each to a type ‘struct queue’ within the da- 
ta structure. One is a forward pointer (*fwd), and the oth- 
er, a reverse pointer (*rev). 

It is these pointers, which link the linked list. Since we 
are using a forward and a reverse pointer, this will be a 
doubly linked list, but for some applications, we can omit 
either pointer, and just create a singly linked list. 

We'll only consider the doubly linked list, as the amount 
of extra effort to do so is minimal. 

First, we need to define the special structures for the 
head and tail. 


struct queue *head; 


struct gueue *tail; 


Since these are currently pointers to nothing, let’s initial- 
ize them to some real memory: 


if((head = (struct queue *)malloc(sizeof(struct queue) ) ) 
== NULL) { 
printf (“Can’t allocate memory for head\n”); 
return(-1); 

} 

if((tail = (struct queue *)malloc(sizeof (struct queue) ) ) 
== NULL) { 
printf (“Can’t allocate memory for tail\n”); 
return(-1); 


} 


Now we have two blind men with lights on their heads, 
SO we can see them, but they still can’t see each other. 
Let’s fix that. We take the fwd pointer of the head, and 
attach it to the tail, and the rev pointer of the tail, and at- 
tach it to the head. 


head->fwd tai. 


tail->rev = head; 


To identify the head and tail, we need to set the rev 
pointer of the head to NULL, and to do the same with the 
fwd pointer of the tail. 


head->rev = NULL; 
tail->fwd = NULL; 


Now the two blind men have placed their free hand on- 
to a wall, which gives a clue as to how we know we've 
reached either end, when were searching the list. 

Now, we have to add an element to our list, which we 
can do at the head or at the tail. This is usually done within 
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a subroutine, imaginatively called add elmnt() or some- 
thing, since we don't want to repeat the code a few hun- 
dred times in our program. 

First, we create an element 


struct queue *elmnt; 


1f((elmnt = (struct queue *)malloc(sizeof(struct queue) )) 
== NULL) { 
printf (‘“Can’t allocate memory for elmnt\n”) ; 
recurn(=1); 


} 


Then, to add this at the head, we do the following, in the 
following order. Changing the order may lead to attempts 
to attach to undefined pointers: 


¢ We first take our rev pointer, and point it to the head, 
whose address we know. 


elmnt->rev = head; 


¢ Then, we point our fwd pointer to the address pointed 
to by the head's fwd pointer. 


elmnt->fwd = head->fwd; 


¢ Next, we take the rev pointer of the structure pointed 
to by the fwd pointer of the head, and point it to our- 
selves. 


elmnt-fwd->rev = elmnt; 


¢ At this point, we are attached to both head and tail, 
and can safely detach the head’s fwd pointer from the 
tail, and attach it to ourselves. 


head->fwd =elmnt; 


Why did we do the acrobatics in the third step? Why not, 
instead, just say 


tail->rev = elmnt; ? 


The answer is, that we only know the position of the tail 
before we add the first element. However, we always 
know that the rev pointer of the structure following the 
head points back to the head. 

lf we're adding our elements to the end of the list, we 
follow the same method, except that we only know the ad- 
dress of the tail: 
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elmnt->fwd = tail; 
elmnt->rev = tail->rev; 
elmnt->rev->fwd = elmnt; 


tail->rev = elmnt; 


Let us now assume that we have a list of a hundred ele- 
ments, and we want to scan it. 

We can’t do an indexed scan, since we don't have an 
array, and we can't make any assumptions about the ad- 
dresses of the elements, since malloc just grabs memory 
from wherever it’s free. 

We need a pointer to struct queue, to traverse the struc- 
tures, So we define a cursor 


struct queue *cursor; 
Then, we set up a loop: 


for(cursor = head-fwd; cursor->fwd-fwd '!= NULL; cursor = 
cursor->fwd) { 
/* do Loopy things: */ 
} 


The initialisation is obvious: we just need to start at the 
first element, past the head of the list. Occasionally, the 
head and tail contain extra elements, such as queue 
length etc, so it may be necessary to start with ‘cursor = 
head’, but we have no such need. The loop increment is 
equally obvious, in that the cursor sets its new address 
to that pointed to by the current element. 

The loop termination conditions may not be so obvious. 
Why not just say ‘cursor != tail’? Well, you can. However, 
it is not a good habit to get into, since some loops may 
have conditions within them, which cause the cursor to 
increment by more than one element. Down that road lies 
‘segmentation error — core dumped... 

Looking for a NULL fwd pointer is a guarantee that 
you ve reached the end of the list, since only the tail has 
it set to NULL. 

How about searching in reverse? Easy. 


for(cursor = tail->rev; cursor->rev->rev != NULL; cursor = 
cursor->rev) { 
j/* do Loopy things */ 
} 


Now that we can insert elements, and create a long list, 
then search our list, this just leaves us with the task of 
deleting an element. 

We need to take the same amount of care with delet- 
ing, as we took with adding an element. For the sake of 
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example, let's say we want to delete any element with an 
empty data element in the queue structure; 


for(cursor = head-fwd; cursor->fwd-fwd != NULL; cursor = 
Cursor-Siwad) { 
if (cursor->data[0] == 0x00) { 
cursor->fwd->rev = cusor->rev; 
cursor->rev->fwd = cursor->fwd; 


free (cursor); 


} 


We take the rev pointer of the structure pointed to by our 
fwd pointer, and point it at the address being pointed to 
by our rev pointer. Next, we take the fwd pointer of the 
structure being pointed to by our rev pointer, and point it 
at the address being pointed to by our fwd pointer. 

This has now bypassed our current element, So we can 
free it. Right? Well, the cursor address is still the same as 
that of the original element so, yes, we can. 

However, what happens when we get back to the top of 
the loop? It'll try and set cursor to cursor->fwd. This will 
work — most of the time. 

The problem is, that we just freed that piece of memo- 
ry, which gives the operating system permission to give 
it to someone else. On an idle system (like the develop- 
ment machine), nothing will happen, and the loop will run 
to completion but, on a busy system (like production) an- 
other process might snatch that piece of memory, leav- 
ing Our cursor to jump into the weeds, somewhere on the 
heap, and the testers will call you out in the middle of the 
night to fix it. 

You could decide that you can live with the memory 
leak, and omit the free ) call, in which case, you should 
firmly close this page, and seek an alternative career. 

To do it properly, what you need, is a second cursor. 


struct queue *sentry; 


for(cursor = head-fwd, sentry = cursor; cursor->fwd-fwd != 
NULL; cursor = cursor->tfwd) { 
if (cursor->data[0] == 0x00) { 
Sentry = ‘Cursor--rev; 
cursor->fwd->rev = cusor->rev; 
cursor->rev->fwd = cursor->fwd; 
free (cursor); 


Cursor = Sencry; 


} 


Now, let’s see what happens. 
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As soon as we've found the element we wish to delete, 
we set sentry to the previous element. When we've de- 
leted our element from the list, and freed its memory, we 
set cursor to the same address as sentry, which is the ele- 
ment before the current one. The loop now advances the 
cursor, correctly, to the next element. 

As we mentioned earlier, linked lists can be multi-dimen- 
sional. To create a two-dimensional list, suitable for cre- 
ating matrices, maps, and other topological representa- 
tions, we only need to change the basic element. 


struct elmnt ( 
struct elmnt *fwd; 
struct elmnt *rev; 
struct elmnt *up; 
struct elmnt *dn; 


char data[1024]; 


Now, instead of just a forward and a reverse pointer, we 
have an up and a down pointer, as well. 

The process of adding an element now also includes 
setting the two latter. If the element being added is just 
another linear element, we set the up and dn pointers to 
NULL but, if it is a branch point, we have to set them to 
point up to the newly added structure, and back down to 
the branch point. 

Let's say we already have our linear linked list, and we 
wish to add one element above, and another below the 
first element after the head. 


elmnt->dn = head->fwd; 
head->fwd->up = elmnt; 
head->fwd->dn = NULL; 
elmnt->up = NULL; 


Note that we leave no trailing pointers, but terminate 
them with a NULL, so we can find the end of the branch. 

Next, we add a new element below the first element af- 
ter the head. 


elmnt->up = head->fwd; 
head->fwd->dn = elmnt; 


head->fwd->dn->dn = NULL; 


Note that we don't set the head->fwd->up pointer to 
NULL, as we just added an element there. 

Traversing such a list will require two cursors, in two 
nested loops. The main loop traverses the list in a hori- 
zontal direction, with hcursor, while the two inner loops 
traverse the branches vertically up or down, with vcursor. 
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for(hcursor = head-fwd; hcursor->fwd-fwd != NULL; hcursor 

= hcursor->fwd) { 
if (hcursor->up != NULL) { 

for(vcursor = hcursor; vcursor->up != NULL; 
VCursor = vCursor=>up) { 

/* traverse the upward bound list */ 
} 
if (hcursor->dn != NULL) { 
for(vcursor = hcursor; vcursor->dn != NULL; 

vcursor = vcursor->dn) { 


/* traverse the downward bound list */ 


Three dimensional linked lists work in exactly the same 
way, with an element defined as 


struct elmnt ( 
struct elmnt *fwd; 
struct elmnt *rev; 
struct. elmnt. *up? 
struct elmnt *dn; 


struct elmnt *out; 











struct elmnt *in; 


char data[1024]; 





where ‘out’ and ‘in’ are the z-axis pointers. 

It is left as an exercise for the reader, to design a func- 
tion to add such an element to a linked list, and then to 
define a traversal function. 


MARK SITKOWSKI 
Mark Sitkowski C.Eng, M.I.E.£ Consultant to Forticom Security 
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Technology makes a wonderful slave but a 
cruel master. Both Amazon and Tesco, major 
retailers in the UK and worldwide have been 
severely criticised in the media for the use 
of technology to control and monitor staff 
excessively. As IT professionals, where do we 
draw the ethical line in the sand? 


like an axe in the hands of a pathological criminal.” 

Time and again throughout history, as a society 
we have seen the positive contributions made by innova- 
tors, creatives, engineers, architects and humanitarians 
perverted and used for immoral if not evil ends. Tempting 
though it would be to take Einstein's quote and neatly as- 
sign to the technologists the role of the angels and to the 
politicians, bankers, society or whoever else the role of 
the pathological criminal, this would be far too simplistic. 
As far as |am concerned, the actions of black-hat hackers, 
spammers and the various other forms of Internet low-life 
are definitely criminal if not pathological. Of course, we 
must make allowances for the uneducated and the un- 
aware, and | do not include here the average end user 
who has a compromised PC due to poor web hygiene. 
No, we are talking about those whose hearts are dark and 
who choose to use technology for their own agenda, rath- 
er than for the benefit of all. 

Traditionally, the guru was party to esoteric knowledge 
shared with others either for financial, spiritual or social 
status. The first rule for the guru was the protection of 
knowledge and wisdom, as it was widely understood that 
the value of the guru would be inversely proportional to 
the number of people who were cognisant to the “mag- 
ic’. Essentially, the same morality exists today in the form 
of the established professions — Doctors, Lawyers, Ar- 
chitects etc. — the amount of studying, self-sacrifice and 
knowledge that is required to achieve qualification and 
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recognition is great, so the profession then erects barriers 
to those that are not initiated. This in turn leads to sepa- 
ration within society, between those with the knowledge 
and as a consequence — power — and those that do not. 
This has led to cries from the “have nots” of injustice, and 
so the political ideologies of Marxism, Communism, Mao- 
ism, Stalinism, Socialism etc. gained traction and politi- 
cal credence in the 20th century. Irrespective of the basis 
of these riches, whether they be intellectual, financial, or 
physical, there were secrets to keep, professional rela- 
tionships to be nurtured and at all costs the status quo to 
be maintained. 

Aside from political argument as to whether or not Capi- 
talism or any other doctrine is superior, the second rule for 
the guru is do not whistle-blow. Ever. The consequences 
of being an initiate and sharing “dirty washing in public” 
range from censure, character assassination to potentially 
death depending on the quality, importance and potential 
embarrassment caused by the information being shared. 
Just ask Frank Serpico. Unfortunately we cannot ask Kar- 
en Silkwood. Of course, if “leaking” information is useful 
to discrediting another guru, often this will be encouraged. 

So | have no problem at all of awarding Edward 
Snowden the author's “IT Man of the year” award for cour- 
age, honesty and integrity but qualified with a very small 
pinch of salt. While it is difficult to get to the bottom of any 
spook-based operation, especially taking into account the 
incestuous relationship the media (including the alterna- 
tive media) have with the security services, it is hard to 
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reconcile on a pragmatic basis why ES chose to seek asy- 
lum in Russia. Maybe it was the harsh hand of fate, the 
bitter cup of circumstance that placed him in these cir- 
cumstances. Unless this becomes public knowledge, or 
we manage to share a cup or two of coffee | doubt | will 
ever know. But if | was in his shoes, | would have chosen 
a host that couldn't potentially change his role from truth- 
teller to political pawn a la the exchanges that happened 
on the borders of East and West Germany during the cold 
war. We mustn't judge though — as far as | am concerned 


to discuss, please feel free to email me at me@merville. 
co.uk.). Others are more comfortable bearing their heart 
in short bursts. | aim for 1000 words. Maybe, | am a di- 
nosaur, but as | mentioned earlier context is everything, 
and that is why every guru has to take his personal path 
to enlightenment. Only you know from your personal val- 
ue system if the project you are working on is a threat. 
Does it pass the smell factor? How uneasy do you feel? 
Could you justify it in front of your manager? The CEO? 
The shareholders? Society? The universe? God? 





ES has made a tremendous sacrifice and we must honour 
that irrespective of the geopolitical rhetoric. In my book, 
truth-teller, whether communist, fascist or capitalist must 
be applauded wholeheartedly. 

But lets get back to reality, rather than a media frenzy 
of accusation and counter accusation. The problem with 
committed IT professionals (and | use the word committed 
here in the sense that we are passionate rather than can- 
didates for the lunatic asylum) is that what we are involved 
with is often in the scale of rocket science, nuclear phys- 
ics or whatever. A few thousand lines of code can change 
lives. Our product can be the stiletto that is used to shave 
20% off the staffing levels of an organisation, or maybe 
as system administrators we can be asked to forget major 
“ethical hiccups”. And some of us write code for nuclear 
weapons guidance systems. When you are submerged in 
lines of code, caught in the political management cross- 
fire with a serious deadline due, or just burnt out with the 
whole shebang, it is important to remember the context, 
despite how difficult that is to do. 

Like all of society, IT has its mix of extroverts and intro- 
verts. Personally, | prefer quality over quantity, so | spend 
my time writing long leader columns that will hopefully en- 
tertain and communicate rather than lots of spurious noise 
on Facebook and Twitter. Sheesh, | don’t even have a 
blog. So in Internet terms, | am probably a confirmed in- 
trovert (| do occasionally reply to emails. If you have any 
constructive comments on these columns, or would like 
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To be honest, | feel sorry for the coders and techs in- 
volved in the Amazon and Tesco projects. Payback in 
the form of negative media exposure, no matter how dis- 
tanced you are from the source or target is never pleas- 
ant. At the time, everything was probably justified from a 
management and project perspective, but naturally hind- 
sight has 20-20 vision. In all my years as a tech, apart 
from those leaning towards or in management, | have 
never met an IT specialist who wanted to see jobs lost or 
benefits reduced by the application of technology. Maybe | 
have worked with too many idealists, but we all wanted to 
make things better. Safer. More productive. Less stressful. 
More fun. And at the same time make an honest buck. So 
let’s raise our glasses in New Year 2014 to the Snowdens, 
Assanges, Tesco and Amazon employees who have had 
the courage to blow the whistle. And may they be our en- 
couragement to do likewise as we enter deeper into the 
age of the pathological criminal. 


ROB SOMERVILLE 

Rob Somerville has been passionate about technology since his early 
teens. A keen advocate of open systems since the mid-eighties, he has 
worked in many corporate sectors including finance, automotive, air- 
lines, government and media in a variety of roles from technical sup- 
port, system administrator, developer, systems integrator and IT man- 
ager. He has moved on from CP/M and nixie tubes but keeps a solder- 
ing iron handy just in case. 
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